b'Report No. DODIG-2012-087            May 29, 2012\n\n\n\n\n\n          Logistics Modernization Program System \n\n                   Procure-to-Pay Process \n\n           Did Not Correct Material Weaknesses\n\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (571) 372-7469.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for Auditing by\nphone (703) 604-9142 (DSN 664-9142), by fax (571) 372-7469, or by mail:\n\n                      Department of Defense Office of Inspector General\n                      Office of the Deputy Inspector General for Auditing\n                      ATTN: Audit Suggestions/13F25-04\n                      4800 Mark Center Drive\n                      Alexandria, VA 22350-1500\n\x0c                                      INSPECTOR GENERAL\n                                       DEPARTMENT OF DEFENSE \n\n                                       4800 MARK CENTER DRIVE \n\n                                    ALEXANDRIA, VIRGINIA 22350-1500 \n\n\n\n\n\n                                                                                        May 29,2012\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE (COMPTROLLER)/\n                 CHIEF FINANCIAL OFFICER, DOD\n               DEPUTY CHIEF MANAGEMENT OFFICER\n               AUDITOR GENERAL, DEPARTMENT OF THE ARMY\n\nSUBJECT: Logistics Modernization Program System Procure-to-Pay Process Did Not \n\n         Correct Material Weaknesses (Repolt No. DODJG-2012-087) \n\n\nWe are providing this final report for your review and comment. This report addresses the\nArmy\'s implementation of one of the DoD Business Enterprise Architecture end-to-end business\nprocesses within the Logistics Modernization Program system. Despite spending about\n$1.8 billion, Army managers did not accomplish the reengineering needed to integrate the\nProcure-to-Pay functions to comply with DoD Business Enterprise Architecture requirements\nand correct material weaknesses. We considered management comments on a draft ofthis report\nwhen preparing the final report.\n\nDoD Directive 7650.3 requires that recOlTllllendations be resolved promptly. We received\ncomments from the Deputy Chief Management Officer and the Assistant Secretary of the Army\n(Financial Management and Comptroller). The Deputy Chief of Management Officer comments\nwere responsive, and no fUlther comments are needed. The Assistant Secretary of the Army\n(Financial Management and Comptroller) comments, sent on behalf of the Department of the\nArmy, were generally responsive. However, comments to Recommendations C.2.b and C.2.c\nwere nonresponsive and comments on Recommendations A.l.a, A.l.e, A.l.f, A.I.g, A. I .h, A.I.i,\nB.I.a, and C.2.a were partially responsive. We request additional comments from the Assistant\nSecretary of the Army (Financial Management and Comptroller) and Army Office of Business\nTransformation on the recommendations by June 28, 2012.\n\nIfpossible, send a portable document format (.pdf) file containing your comments to\naudfmr@dodig.mil. Copies of your comments must have the actual signature of the authorizing\nofficial for your organization. We are unable to accept the /Signed/ symbol in place of the actual\nsignature. If you arrange to send classified comments electronically, you must send them over\nthe SECRET Internet Protocol Router Network (SIPRNET).\n\nWe appreciate the cOllitesies extended to the staff. Please direct questions to me at\n(703) 604-8938 (DSN 664-8938).\n\n\n                                   ~ (\\ . J~                               \n\n                                   Richard B. Vasquez, CPA \n\n                               Acting Assistant Inspector General \n\n                              Financial Management and Reporting \n\n\x0c\x0cReport No. DODIG-2012-087 (Project No. D2010-D000FI-0234.000)                  May 29, 2012\n\n               Results in Brief: Logistics Modernization\n               Program System Procure-to-Pay Process Did Not\n               Correct Material Weaknesses\n                                                              manage, and maintain trading partner\n   What We Did                                                information. As a result, the Army allotted\n   Our objective was to determine whether                     about $1.3 million to develop vendor\n   appropriate internal controls were in place                information for two systems but did not resolve\n   within the Logistics Modernization Program                 material weaknesses related to accounts payable\n   system (LMP) to ensure proper recording of                 and intragovernmental eliminations.\n   accounting transactions related to the purchase\n   of goods and services.                                     What We Recommend\n                                                              The Deputy Chief Management Officer should\n   What We Found                                              review legacy registration processes to\n   Army financial and system managers did not                 determine whether DoD can incorporate registry\n   reengineer LMP to perform Procure-to-Pay                   databases into the System for Award\n   functions correctly or correct known material              Management. Other recommendations are:\n   weaknesses. The LMP developers did not                         \xe2\x80\xa2\t develop a plan of action and milestones\n   identify the system requirements needed to                        to bring the LMP into compliance with\n   correct the root causes of material weaknesses,                   the DoD requirements,\n   and Army managers did not review control                       \xe2\x80\xa2\t modify LMP to cease the automatic\n   activities to assess internal control effectiveness.              obligation of unmatched disbursements,\n   As a result, Army managers continued the use                   \xe2\x80\xa2\t review unobligated balances, and\n   of costly business processes and LMP failed to                 \xe2\x80\xa2\t develop a system edit check to identify\n   provide reliable financial data. As of                            activity exceeding allotted amounts.\n   August 31, 2011, LMP activities reported more              The Army should also create and manage\n   than $10.6 billion in abnormal balances within             vendor master data based on the System for\n   the Procure-to-Pay general ledger accounts.                Award Management and establish a vendor\n                                                              master data manager. Further, the Army should\n   LMP system access controls did not establish               improve LMP system access controls and assess\n   data integrity for the Procure-to-Pay process              the LMP Procure-to-Pay business process.\n   because Army managers did not provide\n   effective oversight over the development and               Management Comments and\n   implementation of system access templates. As              Our Response\n   a result, LMP data were at risk of unauthorized\n   and fraudulent use. In addition, the Army                  The Deputy Chief Management Officer and\n   Enterprise Systems Integration Program                     Department of the Army agreed with our\n   Management Office did not determine the                    recommendations. However, some of the Army\n   Standard Financial Information Structure data              comments were not responsive or did not fully\n   attributes needed to establish the vendor master           address what actions it would take to correct the\n   database and populate the correct domain values            reported deficiencies. Therefore, we request\n   for Army systems to process Procure-to-Pay                 that the Army provide additional comments as\n   transactions correctly. This occurred because              specified in the recommendations table on the\n   Army managers did not create the single source             back of this page.\n   of vendor master data needed to develop,\n                                                          i\n\x0cReport No. DODIG-2012-087 (Project No. D2010-D000FI-0234.000)            May 29, 2012\n\n\nRecommendations Table\n         Management                   Recommendations           No Additional Comments\n                                     Requiring Comment                Required\nDeputy Chief Management\nOfficer                                                         C.1\nAssistant Secretary of the Army                                 A.1.b, A.1.c, A.1.d, A.2.a,\n(Financial Management and         A.1.a, A.1.e, A.1.f, A.1.g,   A.2.b, A.2.c, A.3, B.1.b,\nComptroller)                      A.1.h, A.1.i, B.1.a, C.2.a,   B.1.c, B.1.d, B.1.e, B.1.f,\n                                  C.2.b, C.2.c                  B.2.a, B.2.b, B.2.c, C.4\nDirector, Army Office of          A.1.a, A.1.e, A.1.f, A.1.g,\nBusiness Transformation           A.1.h, A.1.i, C.2.a, C.2.b,\n                                  C.2.c                         A.1.b, A.1.c, A.1.d\nProgram Manager, Army\nEnterprise Systems Integration\nProgram                                                         C.3.a, C.3.b, C.3.c, C.3.d\n\nPlease provide comments by June 28, 2012.\n\n\n\n\n                                             ii\n\x0cTable of Contents\nIntroduction                                                                   1\n\n\n      Objective                                                                1\n\n      Material Weaknesses Related to Business Processes and Systems            1\n\n      DoD Procure-to-Pay Process                                               1\n\n      Review of Internal Controls Over the Business Process                    3\n\n\nFinding A. Logistics Modernization Program Procure-to-Pay Reengineering\n\n              Did Not Correct Known Weaknesses                                 4\n\n      Army Procure-to-Pay Responsibilities                                     4\n\n      Army Managers Did Not Implement the Business Enterprise Architecture\n\n         Business Process                                                      5\n\n      Developing an Effective Control Environment                              6\n\n      Implementing Control Activities to Accomplish Procure-to-Pay\n\n         Business Process                                                      8\n\n      Ineffective Monitoring of the Army Procure-to-Pay Business Process      18 \n\n      Conclusion                                                              19 \n\n      Recommendations, Management Comments, and Our Response                  19 \n\n\nFinding B. Logistics Modernization Program System Access Controls Were\n\n             Ineffective                                                      26 \n\n      System Compliance with Federal Information Security Management Act      26 \n\n      Segregation of Duties and Least Privilege Controls                      27 \n\n      Developing Consistent Account Management Policy and Procedures          31 \n\n      Army Materiel Command Taking Actions to Update Account Management       35 \n\n      Conclusion                                                              36 \n\n      Recommendations, Management Comments, and Our Response                  37 \n\n\nFinding C. Vendor Master Data Did Not Support the Procure-to-Pay Process      41\n\n      Vendor Master Information Requirements                                  41 \n\n      Developing a Single Army Vendor Master                                  43 \n\n      Army Expended Funds to Develop Multiple Vendor Tables                   47 \n\n      Developing a Way Forward                                                48 \n\n      Conclusion                                                              48 \n\n      Recommendations, Management Comments, and Our Response                  49 \n\n\nAppendices\n     A. Scope and Methodology                                                 54 \n\n     B. Prior Coverage                                                        56 \n\n     C. Description of Technical Requirements and Standards                   57 \n\n     D. Acronyms and Abbreviations                                            60 \n\n     E. Business Transformation Agency Procure-to-Pay Illustration            61 \n\n     F. Segregation of Duties                                                 63 \n\n     G. Statistical Sampling Methodology                                      66 \n\n\x0cTable of Contents (cont\xe2\x80\x99d)\nAppendices (cont\xe2\x80\x99d)\n     H. \tDeveloping the Vendor Master Using Standard Financial Information \n\n            Structure Attributes                                               69 \n\n\nGlossary\t                                                                      71 \n\n\nManagement Comments\n\n     Deputy Chief Management Officer                                           72 \n\n     Department of the Army                                                    74 \n\n\x0cIntroduction\nObjective\nOur overall objective was to determine whether the appropriate internal controls were in place\nwithin the Logistics Modernization Program system (LMP) to ensure the proper recording of\naccounting transactions related to the purchase of goods and services. Specifically, we\ndetermined the reasons for abnormal account balances 1 and transaction relationships and\ndetermined whether LMP properly supported the accounting transactions within the general\nledger accounts with verifiable audit trails. This report assesses the Army\xe2\x80\x99s implementation of\nthe DoD Business Enterprise Architecture (BEA) end-to-end business process for Procure-to-Pay\n(P2P) in LMP. See Appendix A for a discussion of our scope and methodology and Appendix B\nfor prior audit coverage. See Appendix C for the description of technical requirements and\nstandards and Appendix D for acronyms and abbreviations. See the Glossary for definitions of\ntechnical terms used in this report.\n\nMaterial Weaknesses Related to Business Processes and\nSystems\nThe Army has long-standing material weaknesses in the financial reporting of its Army Working\nCapital Fund (AWCF) business operations. The Army did not design its legacy accounting\nsystems to collect and record financial information using accrual accounting or to maintain\nauditable data at the transaction level to support the amounts reported on the AWCF financial\nstatements. In its FY 2010 Statement of Assurance, the Army reported 10 material weaknesses\nrelated to its AWCF business processes and systems. The material weaknesses involving\naccounts payable, abnormal balances (both discussed in Finding A), and intergovernmental\neliminations (discussed in Finding C) related directly to the P2P business process. These three\nmaterial weaknesses existed because of the inability of Army legacy systems to integrate the P2P\nbusiness process correctly and identify the proper trading partner information for Federal and\nnon-Federal transactions. Appendix C contains the definition of a material weakness and a\ndetailed description of the three material weaknesses. In the Army\xe2\x80\x99s FY 2011 Statement of\nAssurance, the Assistant Secretary of the Army (Financial Management and Comptroller)\n(ASA[FM&C]) identified LMP deployment as the major corrective action for resolving these\nthree material weaknesses.\n\nDoD Procure-to-Pay Process\nThe Deputy Chief Management Officer (DCMO) had overall responsibility for developing and\nensuring the implementation of the DoD BEA requirements. The Under Secretary of Defense\n(Comptroller)/Chief Financial Officer is responsible for ensuring that the Army complies with\nfinancial reporting requirements.\n\n\n1\n An abnormal balance occurs when the balance reported in a general ledger account is different from the expected\nnormal balance for that account as defined in the chart of accounts. For example, the normal balance for accounts\npayable (GLAC 2110) is a credit balance. When the trial balance reports the value as a debit balance, the balance is\nconsidered abnormal.\n\n\n                                                         1\n\n\x0cDoD developed the BEA to assist its components in developing the common end-to-end business\nprocesses needed to report the financial and other data managers need for decision-making. The\nBEA supports the move from a function-centered approach to one that looks at DoD business\nfunctions across the enterprise from an end-to-end process perspective. BEA version 7.0,\nreleased on March 12, 2010, introduced the end-to-end business flows to serve as the foundation\nfor a shared understanding of the target architecture. The BEA provided the business rules and\ntransactional information flows needed to develop Enterprise Resource Planning (ERP) system\nsolutions. The P2P business process was one of 15 BEA end-to-end business processes.\nAdditional details about the BEA P2P business process are in Appendix E.\n\nDoD Responsibilities\nThe DCMO issued guidance on October 13, 2009, restating the Defense Business Systems\nManagement Committee\xe2\x80\x99s commitment to explore the execution of the P2P end-to-end business\nprocess entirely within the ERP systems to the maximum extent possible, using pilots programs.\nThe FY 2010 National Defense Authorization Act (the Act), Section 1072, introduced new\nrequirements into the Department\xe2\x80\x99s investment review process. The Act stipulated that DoD\ncould not certify Defense business system modernization funds in excess of $1 million for\nobligation without making a determination on whether or not DoD had conducted appropriate\nbusiness process reengineering of the system processes. To justify additional LMP funding, the\nAct required the DCMO and the Army\xe2\x80\x99s Chief Management Officer to make the reengineering\ndeterminations.\n\nThe DCMO issued a memorandum dated February 12, 2010, implementing Section 1072 of the\nAct. The memorandum required the completion of an interim Business Process Reengineering\nAssessment Form by the Chief Management Officer of ERP systems coming to the DoD\nInvestment Review Board (the Board). In September 2010, the Board granted a third LMP\ndeployment decision, which included more than $37 million for the Army to continue\ndeployment and related support activities. The Board issued an Acquisition Decision\nMemorandum dated November 18, 2010, acknowledging that the Army knew risks existed in the\nsystem before deployment that must be mitigated in future software releases of LMP. The\nAcquisition Decision Memorandum provided seven specific tasks that needed to occur, including\nthe requirement for Army managers to ensure that they executed all future capability upgrades in\naccordance with an approved strategy for the emerging Army ERP systems.\n\nLogistics Modernization Program System\nIn December 1999, the Program Director, U.S. Army Wholesale LMP, Army Materiel\nCommand (AMC), awarded a service contract to develop and deploy LMP to process logistical\nand financial data in support of AWCF business operations and to maintain legacy systems until\nfull LMP deployment. The contractor used a commercial off-the-shelf software package to\ndevelop the LMP financial management and logistics functionality. In July 2003, the LMP\nProject Office initially deployed LMP to the CECOM Life Cycle Management Command\n(LCMC), New Jersey; Tobyhanna Army Depot, Pennsylvania; Defense Finance and Accounting\nService (DFAS) locations in Indianapolis, Indiana, and Columbus, Ohio; and several other AMC\nactivities supporting the AWCF Supply Management business area. In May 2009, the LMP\nProject Office completed its second deployment to an additional seven AMC locations, including\nthe Aviation and Missile Command LCMC, Alabama (the LCMC) and Letterkenny Army Depot\n\n\n                                               2\n\n\x0cPennsylvania (the Depot) that we visited. The LMP Project Office completed deployment to the\nremaining AWCF activities on October 21, 2010. During FY 2011, 28 AWCF activities used\nLMP to report trial balance data. DoD Inspector General (DoD IG) Report No. D-2011-015,\n\xe2\x80\x9cInsufficient Governance Over Logistics Modernization Program System Development,\xe2\x80\x9d\nNovember 2, 2010, reported that LMP had not resolved any previously reported material\nweaknesses, despite the Army spending more than $1.1 billion to develop and deploy the system.\nAs of July 2011, the Army spent about $1.8 billion on LMP. In December 2011, the Army\nissued a contract modification for almost $1 billion to extend the existing contract until\nDecember 2015.\n\nStandards for Internal Control\nOffice of Management and Budget Circular No. A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for\nInternal Control,\xe2\x80\x9d December 21, 2004, and Government Accountability Office (GAO)\n\xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d November 1999, identify the\nstandards and policies for achieving proper internal control. The circular provides Federal\nmanagers with guidance to ensure that they establish effective internal control standards.\nManagement must also comply with the circular\xe2\x80\x99s Appendix A, \xe2\x80\x9cInternal Control Over Financial\nReporting,\xe2\x80\x9d when assessing internal control effectiveness over financial reporting. Effective\ninternal controls provide management with reasonable assurance of effective and efficient\noperations, reliable financial reporting, and compliance with laws and regulations. The five\nstandards of internal control are defined in Appendix C.\n\nReview of Internal Controls Over the Business Process\nDoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control Program (MICP) Procedures,\xe2\x80\x9d July 29,\n2010, requires DoD organizations to implement a comprehensive system of internal controls that\nprovides reasonable assurance that programs are operating as intended and to evaluate the\neffectiveness of the controls. We identified internal control weaknesses in the management and\nimplementation of the LMP P2P business process. Specifically, Army financial managers did\nnot properly reengineer AWCF business processes and implement internal control procedures for\nconducting the LMP P2P business process, correctly administer LMP system access, or properly\ndevelop the vendor master data needed to associate financial data to the correct trading partners.\nWe will provide a copy of the report to the senior officials responsible for internal controls in the\nDepartment of Army.\n\n\n\n\n                                                 3\n\n\x0cFinding A. Logistics Modernization Program\nProcure-to-Pay Reengineering Did Not Correct\nKnown Weaknesses\nASA(FM&C) and AMC managers developed LMP business processes to perform LMP P2P\nfunctions that did not implement the DoD BEA requirements and correct known material\nweaknesses. Specifically, the LMP processes developed did not properly approve, verify, or\nreconcile P2P transactions or record and document business events accurately. This occurred\nbecause the managers did not:\n\n    \xe2\x80\xa2\t develop an effective control environment to identify the root causes of the material\n       weaknesses related to the P2P business process, develop appropriate corrective actions,\n       and reengineer the Army business processes and LMP system functionality to resolve the\n       weaknesses;\n    \xe2\x80\xa2\t establish the LMP control activities needed to accomplish the P2P business process\n       requirements; and\n    \xe2\x80\xa2\t monitor operations within the LMP P2P business process.\n\nAs a result, Army managers continued the use of costly legacy business processes and LMP\nfailed to provide reliable data to financial managers, which may impede an AWCF audit opinion\nby FY 2017. As of August 31, 2011, LMP activities reported more than $10.6 billion in\nabnormal balances within the accounts payable and budgetary general ledger accounts\nsupporting the P2P business process. LMP also continued to create and automatically obligate\nunmatched disbursements, 2 requiring the Army and DFAS to expend additional funds and\nresources to accomplish the manual reconciliation processes needed to post disbursements\ncorrectly.\n\nArmy Procure-to-Pay Responsibilities\nThe Deputy Assistant Secretary of the Army (Financial Operations) reports to the ASA(FM&C)\nand has responsibility for policies, procedures, programs, and systems pertaining to finance and\naccounting activities and operations. The Deputy Assistant Secretary of the Army (Financial\nOperations) also has responsibility for implementing Army financial management systems, data\nintegration, and the Army internal control program. ASA(FM&C) had responsibilities for\nensuring that LMP, as the AWCF\xe2\x80\x99s ERP system, correctly implemented these business flows\nbefore allowing the LMP Project Manager to fully deploy the system. As reported in DoD IG\nReport No. D-2011-015, the ASA(FM&C) was not sufficiently involved in LMP development\nand did not identify LMP financial management problems that required immediate corrective\nactions before LMP full deployment. Specifically, AMC personnel developed a majority of the\nrequirements for the LMP P2P business process.\n\n\n\n\n2\n An unmatched disbursement is a disbursement transaction that has been received and accepted by an accounting\noffice, but has not been matched to the correct detail obligation. This includes transactions that have been rejected\nand returned back to the paying office or central disbursement clearing organization by an accounting office.\n\n\n                                                          4\n\n\x0cOn February 5, 2010, the Secretary of the Army signed General Order 2010-01, establishing the\nArmy Office of Business Transformation (OBT). The order stated that the Army had originally\nestablished the Army OBT by memorandum on April 9, 2009. The Army OBT acts under the\nauthority, direction, and control of the Secretary of the Army; reports directly to the Army Chief\nManagement Officer; and is the lead for business transformation efforts Army-wide. Both the\nOBT and ASA(FM&C) now share the responsibility for ensuring that LMP activities implement\nthe appropriate internal control over the financial business processes.\n\nArmy Managers Did Not Implement the Business Enterprise\nArchitecture Business Process\nThe Army Director, OBT; ASA(FM&C); and AMC financial and system managers (hereafter\nreferred to collectively as Army managers) did not develop an LMP P2P business process that\ncomplied with DoD BEA requirements. The BEA required that an ERP system demonstrate its\nadherence to the 15 BEA business processes and related business rules as well as DoD Financial\nManagement Improvement Guidance, Federal accounting standards, and applicable public laws\nsuch as the Federal Financial Manager\xe2\x80\x99s Integrity Act of 1996, regulations, and policies\ngoverning the business process. Specifically, systems must comply with the Federal Financial\nManagement System Requirements as required by Office of Management and Budget Circular\nNo. A-127, \xe2\x80\x9cFinancial Management Systems,\xe2\x80\x9d January 9, 2009, and the Financial System\nIntegration Office\xe2\x80\x99s Core Financial System Requirements.\n\nWhen the Army initially deployed LMP in July 2003, the 15 BEA business processes had not\nbeen identified. In FY 2005, the Business Transformation Agency (BTA) began developing the\nBEA P2P business process. ASA(FM&C) and AMC managers developing LMP had not\n                                                assessed what impact emerging BEA\n      ASA(FM&C) and AMC managers                requirements had on further LMP deployment.\n    developing LMP had not assessed what        They also did not determine whether they\n  impact emerging BEA requirements had on       needed to delay deployment and ensure that\n          further LMP deployment.               they conducted the appropriate business process\nreengineering needed to integrate the LMP P2P business process at full deployment. As a result,\nthey did not provide the LMP Project Office with the correct requirements needed to develop the\nLMP functionality needed to meet the requirements of the BEA P2P business process. Instead,\nArmy managers made the decision to delay business process reengineering until after LMP had\ndeployed and sought the Board\xe2\x80\x99s approval to continue deployment in September 2010. The\nBoard decided to allow the Army to fully deploy LMP without first ensuring that the Army\nmanagers had reengineered LMP P2P business process to resolve the material weaknesses that\nhad existed in the legacy environment.\n\nArmy OBT and ASA(FM&C) managers did not take advantage of the Defense Business Systems\nManagement Committee\xe2\x80\x99s commitment to explore the execution of the P2P business process\nwithin LMP. They did not direct the LMP Project Office to reengineer the legacy environment\nto the extent necessary to develop a LMP P2P business process that would ensure the appropriate\nAWCF personnel approved, verified, or reconciled P2P transactions and recorded and\ndocumented the financial transactions and business events accurately. The legacy environment\nthat these Army managers largely perpetuated within LMP consisted of multiple nonintegrated\nsystems performing specific functions within the P2P business process. Appendix E compares\n\n\n                                                5\n\x0cthe BEA requirements for the P2P business process to the \xe2\x80\x9cas is\xe2\x80\x9d environment for obtaining\ngoods and services. Figure 1 shows the P2P business flow related to the six phases of the BEA\nP2P business process: Requisitioning and Commitments (Execute Requisition), Contracting and\nObligations (Source Goods and Services, Manage Contract, and Execute Purchase), Goods\nReceipt (Perform Receipt, Acceptance and Return), Invoicing (Process Invoice and Match),\nEntitlement (Process Invoice and Match), and Disbursing (Execute Disbursement).\n\n        Figure 1. Business Enterprise Architecture, Version 7.0, P2P Business Flow\n\n\n\n\nSource: DoD BEA, Version 7.0\n\nDeveloping an Effective Control Environment\nArmy managers did not develop an effective control environment to identify the root causes of\nthe material weaknesses related to the P2P business process, develop appropriate corrective\nactions, and reengineer the Army business processes. This prevented the LMP Project Office\nfrom designing the final LMP business process correctly by taking advantage of the inherent\ncapabilities contained in the commercial software for accomplishing the P2P business process.\nArmy managers also did not analyze the root causes for known material weaknesses within the\ncurrent P2P business process to design and implement the corrective actions needed to resolve\nthe weaknesses. Consequently, they instructed the LMP Project Office to configure LMP to\nperpetuate AMC legacy business processes. This configuration resulted in a non-integrated P2P\nbusiness process that could not resolve the material weaknesses related to accounts payable,\nabnormal account balances, and intragovernmental eliminations.\n\nControl Environment Resulted in Additional Costs to Maintain Legacy\nSystems and Processes\nASA(FM&C) did not ensure that AMC personnel designed LMP requirements that would\nimplement the commercial software\xe2\x80\x99s full P2P capabilities. Therefore, AMC personnel did not\nreengineer LMP to provide the integration required to perform all phases of the P2P business\nprocess. Soon after the July 2003 LMP deployment, Army managers should have assessed its\nbusiness operations, identified all existing P2P business processes and systems used in the legacy\nenvironment and the commercial software capabilities to accomplish these business processes,\nand developed a reengineering plan to integrate these processes within LMP. If ASA(FM&C)\n\n\n\n\n                                                6\n\n\x0chad instructed the LMP program managers to reengineer the LMP P2P business process, then\nDFAS and LMP activities could have discontinued the use of costly legacy business processes\nand systems to accomplish the P2P business process. For example:\n\n    \xe2\x80\xa2\t At the Depot, personnel continued to use the Aquiline system to create purchase requests\n       to solicit and award service contracts. Aquiline is a commercial Purchase Request\n       software tool used by AMC contracting activities. Resource managers entered a purchase\n       request in Aquiline before the requisition information was manually entered into LMP\n       because LMP lacked the internal controls and functionality needed for online approval\n       and funds certification. The Army did not integrate the Aquiline system into LMP or any\n       other financial management system. The Army planned to retire the Aquiline system\n       after the Army deployed both LMP and the Army General Fund Enterprise Business\n       System (GFEBS). In July 2011, the Army extended the use of Aquiline with the\n       potential additional cost of $1.1 million for its use during FY 2012. As an integrated\n       ERP system, LMP should have assumed the entire purchase requisition phase and\n       eliminated the need for use of this legacy system. Depot personnel stated that they\n       continued to use this system because LMP did not provide the resource managers with\n       the ability to maintain proper funds certification and approval authority over purchase\n       requests for services.\n\n    \xe2\x80\xa2\t ASA(FM&C) did not require AMC to reengineer the entitlement process and continued\n       to require separate systems to entitle and disburse P2P transactions. Army managers\n       informed us that during LMP development, DoD management instructed them not to\n       reengineer the entitlement process because the replacement system for the Computerized\n       Accounts Payable System and the Mechanization of Contract Administration Services\n       system would subsume this functionality. However, in FY 2003, when DoD cancelled\n       plans for the replacement system, ASA(FM&C) did not require AMC to reassess the\n       requirements needed to integrate the entitlement process. Because Army managers did\n       not reengineer the business process, they could not eliminate the prevalidation process\n       designed to match proposed disbursements to actual obligations and eliminate unmatched\n       disbursements. 3 By not reengineering the P2P business process, DoD must continue to\n       operate and maintain stand-alone entitlement systems, such as the Computerized\n       Accounts Payable System and the Mechanization of Contract Administration Services\n       system, which LMP should have incorporated for AWCF activities. Integrating the\n       entitlement process would also have eliminated the AWCF\xe2\x80\x99s portion of the more than\n       50 full-time equivalent DFAS positions charged to the Army by DFAS in FY 2010 to\n       accomplish prevalidation and resolve unmatched disbursements.\n\nThe Army Director, OBT, issued the \xe2\x80\x9cArmy Business Systems Information Technology\nStrategy,\xe2\x80\x9d (Army ERP Strategy) on February 14, 2011. The Army ERP Strategy requires Army\nERP program managers to assess current business operations and develop a plan to reengineer\n\n\n3\n  Prevalidation is the matching of an invoice and receiving report to the corresponding obligation recorded in LMP.\nIt is required by public law and is a process that would be inherent in a fully integrated ERP environment because\nthe same system performs the accounting and the entitlement functions.\n\n\n\n                                                         7\n\n\x0cthe P2P business process. 4 Opportunities exist to integrate more functionality within LMP that\n                                                      would improve the control environment and\n        Opportunities exist to integrate more         make operations more efficient. For\n   functionality within LMP that would improve        example, the Army ERP Strategy should\n   the control environment and make operations        detail how LMP personnel can configure\n                   more efficient.                    the commercial software\xe2\x80\x99s functionality to\n                                                      perform the nonintegrated aspects of the\nP2P process, such as the contracting, commercial pay entitlement, and disbursement functions, to\nthe maximum extent practical. In developing the Army ERP Strategy, Army managers should\ndirectly oversee all future development of LMP system requirements and develop a plan of\naction and milestones that will reengineer and integrate LMP to comply with the BEA P2P\nbusiness process. This should include integrating to the maximum extent possible all phases of\nthe P2P business process.\n\nImplementing Control Activities to Accomplish Procure-to-\nPay Business Process\nArmy managers did not establish the control activities needed to ensure that the P2P business\nprocess complied with financial reporting requirements. The Army had not correctly developed\nthe following control activities to ensure proper implementation of the LMP P2P business\nprocess:\n    \xe2\x80\xa2 top level functional and activity reviews of actual performance,\n    \xe2\x80\xa2 performance measures and indicators, and\n    \xe2\x80\xa2 proper execution of transactions and events.\nFinding B addresses the control activities needed to assess segregation of duties and least\nprivilege conflicts as well as restrict access to records and resources. Finding C addresses the\nneed to provide Army ERP systems with accurate vendor master data.\n\nArmy Managers Not Performing Functional and Activity-Level\nReviews of Actual Performance\nArmy managers did not conduct sufficient functional and activity-level reviews to assess the\nactual performance of the LMP P2P business process. Internal control standards require\nmanagers to compare actual performance to planned or expected results and conduct the analysis\nto correct significant differences. Although Army managers identified that abnormal account\nbalances occurred in the eight accounts payable General Ledger Account Codes (GLACs) since\nthe initial LMP deployment in FY 2003, they had not fully identified the reasons for the\nabnormal conditions. Consequently, they had not resolved this material weakness before full\nLMP deployment. 5 The 28 LMP activities reported more than $10.6 billion in abnormal\n\n\n4\n  The Army is also testing a pilot program within GFEBS to transition to an integrated entitlement process. We plan\nto assess the Army ERP Strategy as a separate audit.\n5\n The 28 LMP activities report information in 14 general ledger accounts, 2 supporting accounts payable Federal and\nNon-Federal transactions, and 12 supporting budgetary information. Each account had several sub accounts that\nmade up the value reported for the general ledger account. Each sub account had a designated normal debit or credit\nbalance.\n\n\n                                                        8\n\n\x0cbalances within 124 of 392 accounts payable and budgetary general ledger accounts that\nsupported the P2P business process as of August 31, 2011. Figure 2 shows that the cumulative\nabnormal balances in the eight accounts payable general ledger sub accounts (GLAC\n2110.XXXX) have significantly increased since September 2008 in the two AWCF business\nareas (Supply Management and Industrial Operations) as additional activities began using LMP. 6\n\n                      Figure 2. Abnormal Balances Reported in GLAC 2110\n                                          (millions)\n\n\n\n\nSource: LMP Trial Balance Data\n\nThe decision not to integrate the entitlement process into LMP was a significant reason for the\nabnormal balances in accounts payable. The lack of integration prevented LMP from recording\nthe receipt and acceptance of goods before it recorded the payment transactions received from\nthe disbursement system. LMP did not record the original accounts payable transaction at the\ntime the Government actually accepted the goods at shipping points because the process sent the\nactual receipt documentation to the entitlement systems. Figure 3 shows the LMP accounting\nentry that should have occurred upon receipt of goods.\n\n                 Figure 3. Accounting Entry to Post Goods Receipt Transaction\nDebit - GLAC for specific asset or expense\n   Credit - Accounts Payable - Goods Receipt/Invoice Receipt,\n        Federal/Non-Federal (GLAC 2110.1000/2000)\nSource: Auditor Derived from SFIS Posting Logic\n\n\n\n\n6\n  Figure 2 uses the following general ledger sub accounts to make up Federal and Non-Federal Accounts Payable:\nGoods Receipt/Invoice Receipt Accounts Payable (Federal), GLAC 2110.1000; Goods Receipt/Invoice Receipt\nAccounts Payable (Non-Federal), GLAC 2110.2000; Accounts Payable \xe2\x80\x93 In-Transit, GLAC 2110.5000; Accounts\nPayable-Inventory Consignment Liability, GLAC 2100.6000; Accounts Payable (Federal), GLAC 2110.9100; and\nAccount Payable (Non-Federal), GLAC 2100.9200. In FY 2011, the LMP Project Office added GLAC 2110.7100\nand GLAC 2100.7200 to enable DFAS to enter a journal voucher at month end to create an accrual for constructive\nreceipt of goods, which removes a portion of the abnormal balances.\n\n\n                                                       9\n\n\x0cWhen LMP received a disbursement transaction, the system posted an invoice receipt that moved\nthe amount recorded as an accounts payable between accounts payable GLACs and then posted\nthe actual disbursement to liquidate the accounts payable. Figure 4 shows the two accounting\nentries recorded when LMP posted disbursement transactions.\n\n     Figure 4. LMP Accounting Entries to Post Invoice and Disbursement Transactions\nDebit - GLAC 2110.1000/2000\n   Credit - Accounts Payable - Federal/Non-Federal (GLAC 2110.9100/9200)\nPurpose: To post invoice receipt.\n\nDebit - GLAC 2110.9100/9200\n   Credit - Funds Balance With Treasury (GLAC 1010)\nPurpose: To post disbursement.\nSource: Auditor Derived from LMP Posting Logic\n\nThe LMP posting logic for receipt of goods resulted in an abnormal debit balance in\nGLAC 2110.1000/2000. This abnormal balance remained until LMP personnel posted the actual\nreceiving report, indicating receipt and acceptance of goods in LMP for the disbursement\npreviously posted. Although Army managers and LMP Project Office personnel recognized this\nproblem, they stated that commercial software would not allow them to record goods acceptance\nuntil after the goods actually arrived at a depot or supply management activity. They also stated\nthat LMP could not use specific inventory movement codes that controlled in-transit inventory\nbecause the Army configured LMP to handle other inventory functions, which precluded the use\nof those codes. 7 They did not believe that commercial software developers would make the\nneeded change to the software simply to support LMP. However, in March 2011, after we\ndiscussed with them the goods acceptance problem, the LMP Project Office requested a change\nto the commercial software and the company agreed to test a proposed solution in early FY 2012.\nIf the Army had identified and corrected this system problem before full system deployment,\nACWF abnormal accounts payable balances would not have grown to nearly $1.1 billion\n(Figure 2).\n\nIn addition, as of August 31, 2011, budgetary accounts supporting the P2P business process\ncontained more than $9.5 billion in abnormal balances. The Army OBT and ASA(FM&C)\nshould expedite the solution for resolving the posting of in-transit inventory. Once resolved,\nthey should assess the system\xe2\x80\x99s business flow and posting logic for the accounts payable process\nand determine whether additional problems exist that cause abnormal balances related to the\nLMP P2P process. If additional problems exist, they should develop the corrective actions to\naddress them.\n\n\n\n7\n  Inventory-in-transit is material in transit from commercial and government suppliers, whose title has passed to\nDoD, but has not been received and accepted at the final designated destination. Movement type 107 is used at the\ntime of acceptance. This should create the necessary proprietary (GLACs 1510/2110) and budgetary\n(GLACs 4801/4901) postings. However, the accepted quantity will not be available for any logistical activity until\nan individual creates a Goods Receipt for the material using movement type 109. Movement type 109 will release\nthe received quantity into unrestricted stock. This Goods Receipt transaction creates no financial postings.\n\n\n                                                        10\n\n\x0cArmy Did Not Use Performance Measures and Indicators to Assessing\nLogistics Modernization Program System Performance\nArmy managers did not effectively use performance measures and indicators to assess the LMP\ndata provided for their use. Internal control standards require that activities establish and\nmonitor performance measures and indicators, including comparisons and functional reviews\nrelating different sets of data to one another to make needed analyses of the relationships and\ndevelop appropriate corrective actions. Although Army managers had established some\nperformance measures and indicators, they did not develop performance measures to monitor the\nstatus of the LMP Unobligated Authority for potential violations of the Antideficiency Act.\nTable 1 shows that the three LMP general ledger accounts used to report unobligated authority\nindicated the Supply Management activities had exceeded their cumulative unobligation\nauthority by about $5.6 billion as of August 31, 2011. The table identifies the 11 Supply\nManagement activities that had abnormal unobligated balances.\n\n                   Table 1. Review of Unobligated Authority August 31, 2011\n                                          (millions)\n   LIMIT          Unapportioned          Allotments          Commitments          Total Unobligated\n                    Authority            GLAC 4610            GLAC 4700               Authority\n                   GLAC 4450\nAC50                        $104.6                  $0.0                  $0.0                 $104.6\nAC5A                        1,451.7              (126.6)                   0.0                1,325.1\nAC5D                         474.0                (50.2)                  (7.1)                 416.7\nAC5E                        2,068.5               (42.7)                   0.0                2,025.8\nAC5F                         189.1                 (5.1)                  (1.0)                 183.1\nAC5T                         635.6                (14.8)                  (5.2)                 615.5\nAC63                         196.0                 (6.9)                 (26.8)                 162.3\nAC67                         312.5                 (1.2)                   0.0                  311.3\nAC68                            0.0                   0.0                  0.0                    0.0\nAC6E                        (431.1)               (14.9)                  (1.8)               (447.7)\nAC9C                        1,110.2               (15.2)               (150.8)                  952.2\nAC9D                         573.7                 448.0               (560.7)                  461.0\nAC9E                        (244.3)               (59.5)                 (49.4)               (353.2)\nAC9F                        (160.4)               (22.0)                 (13.7)                (196.1\nAC9G                           16.6                (0.5)                   0.0                   16.0\n Total                      $6,296.9                $88.4                $(816.7)                $5,568.6\n*The four-character limit represents the Supply Management activity and the shaded areas reflect an abnormal\naccount balance. For example, AC50 represents the U.S. Army Materiel Command Logistical Operations. AC50\nhad an abnormal account balance of $104.6 million in both Unapportioned Authority (GLAC 4450) and Total\nUnobligated Authority.\n\nArmy Budget Office personnel stated that it was unlikely that the Supply Management activities\nhad exceeded their obligation authority because they suspected that the LMP posting logic for\nthree general ledger accounts, GLACs 4450, 4610, and 4700, was incorrect and caused LMP to\nreport abnormal balances. They also stated that the abnormal balances reported in GLAC 4450\n\n\n                                                      11\n\n\x0cwere incorrect balances brought forward from legacy systems that they planned to address once\nthey fully identified and implemented the business process flows and accounting requirements\nfor reporting contract authority within LMP. However, it was not until we questioned these\naccounts that Army managers took any actions to assess these abnormal accounts. Army Budget\nOffice personnel did not believe an Antideficiency Act violation had occurred because their\nother reports showed sufficient balances in unobligated authority. However, LMP also indicated\nthat the $448 million abnormal (debit) balance in GLAC 4610, \xe2\x80\x9cAllotments,\xe2\x80\x9d at one activity\n(AC9D) resulted in the LMP trial balance reporting that the Supply Management business area\nexceeded its FY 2011 allotment authority by $88.4 million.\n\nArmy OBT and ASA(FM&C) should direct AMC financial managers to develop performance\nindicators to assist them in identifying activities exceeding their obligation or allotment\nauthority. ASA(FM&C) should work with AMC to conduct a review of the LMP unobligated\nauthority balances, determine whether a potential Antideficiency Act violation has occurred, and\ntake actions to correct the LMP abnormal balances and posting logic problems. They should also\ndevelop a system edit check that identifies when an activity exceeds the allotment authority in\nGLAC 4610 and require activities to report each occurrence to the Office of ASA(FM&C) for\nimmediate resolution.\n\nProperly Executing Business Transactions and Events\nLMP did not execute each phase of the P2P business process properly. The P2P business\nprocess required the assignment of specific accounting entries to record business transactions to\nthe GLACs. As stated in DoD IG Report No. D-2011-015, Army managers could not provide\nthe detailed posting logic used for each financial event. Without this information, Army\nmanagers had limited assurance that LMP could properly execute P2P transactions and events.\nInternal control standards state that proper documentation of posting logic is essential to ensuring\nthat the proper execution of transactions occurred. Both AWCF activities reviewed had\nproblems with the execution of the business transactions and events related to the Requisitioning\nand Commitments Phase and the Contracting and Obligations Phase of the LMP P2P business\nprocess. Without automated system controls, unauthorized persons could submit or change\ntransactions and accomplish business events outside the scope of their authority. As a result,\ndata from LMP are subjected to an increased vulnerability for individuals to create and process\nfraudulent transactions. Instituting automated system controls is the principal means of ensuring\nthat the Army only initiates or enters valid transactions.\n\nLogistics Modernization Program System Did Not Implement the\nRequisitioning and Commitments Phase Effectively\nArmy managers did not sufficiently assess the Requisitioning and Commitments Phase at AWCF\nactivities and design the LMP functionality needed to create and process all requisitions and\ncommitments used by AWCF activities. This phase requires an individual to create a purchase\nrequest (requisition) and establish a commitment of funds to record in the accounting records. At\nthe two AWCF activities we visited:\n\n   \xe2\x80\xa2\t LMP did not have the proper functionality to create purchase requests related to service\n      contracts and credit card transactions. Instead, activity personnel continued to use offline\n\n\n\n                                                12\n\n\x0c       systems and processes to create purchase requests and entered a manual commitment\n       transaction within LMP to track the purchase request using the LMP transaction screen\n       FMY1 (Create Funds Commitment).\n\n   \xe2\x80\xa2\t LMP did not restrict purchase request functions, such as purchase request approvals,\n      document releases, and waiving ordering limits, to only those high-level managers\n      required to perform the actions. For example, LCMC users performed a manual process\n      to obtain higher management approvals for purchase requests because LMP did not\n      automatically route purchase requests to high-level managers for approval. Army\n      managers also did not implement the system controls needed to restrict the release of\n      purchase requests to the proper approval authority.\n\n   \xe2\x80\xa2\t More than 1,300 of the 3,514 users had system access that permitted them to create,\n      change, and release a purchase request for any dollar amount without approval from a\n      higher level of authority. Internal control standards state that the individual requesting\n      items should not also approve that request. LMP needs to be able to provide the ability to\n      track approval events online by transaction and approval level, including the date, time,\n      and signature of the approving authority (see Finding B).\n\n   \xe2\x80\xa2\t LMP lacked the system controls to route purchase requests to resource management\n      personnel to formally record fund certification. The BEA business rules required the\n      certification of funds availability by the comptroller or an individual responsible for the\n      funds to ensure obligations would not exceed available funds. LMP allowed any\n      individual with authority to create a purchase request to fund the request based on\n      entering a code other than \xe2\x80\x9cU\xe2\x80\x9d in the Account Assignment Category before releasing the\n      document to the contracting office. Personnel at the two activities stated that individuals\n      releasing purchase requests could also cite other activities\xe2\x80\x99 funds unintentionally. The\n      Depot provided a recent example of Corpus Christi Army Depot citing the Depot\xe2\x80\x99s funds\n      by incorrectly entering the wrong Plant Number into LMP. As a result, Corpus Christi\n      Army Depot erroneously committed $8,253 in Depot funds. The Depot and Corpus\n      Christi Army Depot worked together to correct the error.\n\nTo ensure proper funds control, only the individual responsible for the obligation authority\nprovided to an AWCF activity, or a limited number of individuals appointed by that individual to\ncertify funds, should be able to fund purchase requests. This certification requires the use of an\nelectronic signature that controls the certified document and provides the contracting officer or\nobligating official the legal authority to use the funding.\n\nIn addition, the two AWCF activities visited committed funds at different points during the\nphase. For example, the Depot committed funding upon release of the purchase request for\nobligation actions and the LCMC did not commit funding until notified by the contracting office\nthat a contract was ready for obligation actions. LMP users at the LCMC continued to follow the\nlegacy policy and prepared unfunded purchase requests. AMC managers stated that this\noccurred in order to prioritize the use of funds because many of the procurements had long\nadministrative lead times. DoD Financial Management Regulation 7000.14-R (DoD FMR),\nvolume 14, chapter 1, \xe2\x80\x9cAdministrative Control of Funds,\xe2\x80\x9d January 2009, requires that proper\n\n\n                                               13\n\n\x0cfunding be available prior to initiating contracting or other obligation actions. Therefore,\npersonnel should commit funds at the time they release purchase requests for action by others.\nBy not committing the funds upon release of a purchase request, DoD is at risk of accomplishing\ncostly contracting actions and not having funds available to obligate the contract at the time of\naward.\n\nThe Army OBT and ASA(FM&C) should direct AMC to develop the functionality to provide for\nproper document flow for approval of purchase requests within LMP. They should also direct\nAMC to evaluate the P2P business process to identify all offline systems and procedures that\nactivities use to accomplish the Requisitioning and Commitments Phase outside of the ERP\nsystem and, to the extent possible, incorporate that functionality into LMP and discontinue the\nuse of the other processes. In situations where Army managers cannot immediately incorporate\nthe functionality into LMP, they should develop compensating controls over non-integrated\noffline processes and restrict the creation of manual commitment transactions to resource\nmanagement personnel. They should also restrict an individual\xe2\x80\x99s ability to use fund codes and\napprove transactions to only the individual\xe2\x80\x99s LMP activity. The Army OBT and ASA(FM&C)\nshould also direct AMC to assign funds certification authority to a limited number of individuals\nand develop the requirement for LMP to limit funds certification to only these individuals. In\naddition, they should direct that fund managers establish commitments for purchase requests at\nthe time of release.\n\nLimited Reengineering of the Contracting and Obligations Phase\nArmy managers did not sufficiently reengineer the Contracting and Obligations Phase of the P2P\nbusiness process to ensure that LMP controlled obligation transactions without the need for\nlocally developed manual processes. Army managers relied on interfaces they developed with\nexisting contracting systems such as the Standard Procurement System and Procurement\nAutomated Data and Document System to develop the obligations based on the contracting\nactions those systems accomplished. However, LMP did not provide the online capability for\n       . . . LMP did not provide the online         individuals to accomplish Military\n     capability for individuals to accomplish       Interdepartmental Purchase Request (MIPR)\n      Military Interdepartmental Purchase           acceptance functions. Instead, the requesting\n      Request (MIPR) acceptance functions.          activity had to print and manually sign a\n                                                    hardcopy MIPR document and send it to the\nperforming activity. The performing activity manually accepted the MIPR and sent it back to the\nrequesting activity. LMP then allowed the individual who created the MIPR at the requesting\nactivity to record the actual acceptance by the performing activity and establish the obligation.\nThis partially automated process provided only limited control over the obligation process and is\nprone to error. The use of manual processes prevented the Army managers from realizing the\nintegration advantages LMP could have provided by systematically controlling the MIPR request\nand acceptance process.\n\nIn addition, the LMP Program Activity Table used by the requesting activity contained invalid\naddress information for the performing activities and did not generate an accurate hardcopy\nMIPR for mailing purposes. LCMC personnel showed us that the LMP Program Activity Table\nwas incomplete and required them to prepare a manual MIPR document for submission to the\nreceiving activity for acceptance. The Army OBT and ASA(FM&C) should direct AMC to\n\n\n                                               14\n\n\x0cevaluate the P2P business process to identify the offline systems and procedures within the\nContracting and Obligations Phase, develop plans for incorporating these functions and\nintegrating the acceptance functionality into LMP, and discontinue the use of manual obligation\nprocesses once the integration into LMP is complete. In addition, they should direct AMC to\nensure that the data contained in the Program Activity Table can be used to prepare manual\ndocuments correctly and develop compensating controls to validate the data integrity of\nmanually created obligation transactions.\n\nGoods Receipt and Invoicing Phases Not Properly Reengineered\nArmy managers did not reengineer the AWCF business process to correctly record accounting\ntransactions within the Goods Receipt and Invoicing Phases. The Army decided to continue\nusing legacy entitlement systems to accomplish these phases instead of incorporating them into\nLMP. Consequently, Army managers did not design LMP to receive invoices directly from\ncontractors and vendors or receiving reports from activities authorized to accept goods on behalf\nof the government. Instead, the Wide Area Workflow system only provided these automated\ndocuments to the entitlement systems, which eventually provided LMP with payment\ntransactions. When DoD receiving activities accepted supply items at the shipping point, the\nArmy delayed the recording of the receipt and acceptance data in LMP until these items actually\narrived at the receiving dock. In these situations, LMP did not record the associated accounting\ntransactions for government acceptance of goods correctly because AMC personnel developed\nincorrect posting logic to record these transactions.\n\nThe LMP process contributed to the creation of abnormal balances in the accounts payable and\nassociated general ledger accounts. For example, when LMP received a payment transaction\nfrom an entitlement system before properly recording the government receipt and acceptance of\nthe goods, it erroneously treated these transactions as if they were a prepayment of an\nundelivered order. LMP recorded the transaction by crediting \xe2\x80\x9cUndelivered Orders-Paid\xe2\x80\x9d\n(GLAC 4802) in the budgetary accounts, but incorrectly debited GLAC 2110 in the proprietary\naccount instead of \xe2\x80\x9cAdvances and Prepayments\xe2\x80\x9d (GLAC 1410) to reflect payment of a prepaid\nundelivered order. This created abnormal account relationships and abnormal balances in the\naccounts. LMP should have posted the receipt and acceptance of the goods since the entitlement\nsystem had already properly matched the obligations to a valid invoice and receiving report using\nthe prevalidation process.\n\nBeginning in April 2011, the Army approved a departmental-level journal voucher that posts the\ncorrect LMP accounts and serves as a temporary fix until the Army managers can implement the\nsoftware changes needed to record in-transit inventory movements correctly. The posting logic\ndiscussion on pages 9 and 10 explains the significance of LMP not recording the receiving data\nat the time of acceptance.\n\nAlthough LMP could identify the transactions that comprised the unadjusted trial balance and the\ninformation we obtained from DFAS personnel supported an audit trail, LMP did not accurately\nrecord the source documentation information for transactions recorded during the Goods Receipt\nand Invoicing Phases. Internal control standards require the accurate recording of transactions to\nmaintain their relevance and value to management in controlling operations and making\ndecisions. We selected a random stratified sample of 120 P2P transactions recorded as\n\n\n                                               15\n\n\x0c\xe2\x80\x9cDelivered Orders-Obligations Paid\xe2\x80\x9d (GLAC 4902) made during November 2010 and attempted\nto track the information recorded in LMP to the source documents that activities and vendors had\nprovided to the entitlement systems. We were able to trace the dollar value of the transactions\nrecorded in GLAC 4902 from the unadjusted trial balances of each of the 29 LMP activities to\nthe total dollar value of disbursement transactions recorded in LMP. For each of the randomly\nselected P2P transactions, based on the document voucher number found in LMP, we requested\nthe voucher, vendor invoice, and receiving report from DFAS Columbus. DFAS Columbus\npersonnel provided supporting documents for 96 of the 120 transactions. 8 Supporting documents\nfor the 96 transactions presented the following deficiencies:\n\n    \xe2\x80\xa2\t LMP did not record the actual invoice number from the vendor. The Core Financial\n       System Requirements state that systems must provide automated functionality to capture\n       invoice data, including the vendor invoice number.\n\n    \xe2\x80\xa2\t LMP did not correctly record invoice dates, invoice receipt dates, receipt dates, or\n       acceptance dates as reflected on the source documents. The dates recorded in LMP\n       usually reflected the dates LMP interfaced with the entitlement system.\n\n    \xe2\x80\xa2\t The pertinent LMP invoice and receiving report transaction screens did not identify the\n       disbursement voucher information. Because more than one disbursement typically\n       liquidated an obligation, LMP needed to link the various invoices and receiving reports to\n       the corresponding disbursement voucher.\n\nThe absence of actual invoice numbers, accurate dates, and disbursement voucher information\nprevented activities from using LMP to detect duplicate payments and validate that payments\n                                                   complied with the Prompt Payment Act. In\n     The absence of actual invoice numbers,        addition, the incorrect data did not allow us to\n    accurate dates, and disbursement voucher       evaluate the validity of the data LMP used to\n   information prevented activities from using     approve prevalidation requests. LMP did not\n      LMP to detect duplicate payments and         have a standard query to identify all the\n    validate that payments complied with the       documents related to a P2P transaction. The\n               Prompt Payment Act.\t                Core Financial System Requirements state that\n                                                   systems must provide the capability to\nperform a query that would list all related documents and transactions in the processing chain for\ndocument referencing and audit trail purposes. The Army OBT and ASA(FM&C) should direct\nAMC to develop functionality in LMP to capture and record the vendor invoice date, vendor\ninvoice number, and date of invoice receipt at the paying station. Army managers\nshould direct the LMP Project Office to develop the data fields needed to record the actual\nreceipt and acceptance dates for goods and services and a query that will identify all documents\nrelated to an LMP P2P transaction.\n\n\n\n\n8\n The remaining 24 transactions represented inter-AWCF transactions and material movements. It appeared proper\nfor activities to record the types of transactions in this account. However, because there were no source documents,\nsuch as disbursement vouchers, vendor invoices, or receiving reports, we excluded them for our review.\n\n\n                                                         16\n\n\x0cArmy Managers Did Not Integrate Entitlement and Disbursement Phases\nLMP did not use the commercial software functionality for entitling and disbursing P2P\ntransactions because Army managers used legacy entitlement and disbursement processes to\nperform the ready-to-pay functions using the Wide Area Workflow system and existing\nentitlement systems. They informed us that they would continue to use those processes until\nDoD decided how to replace the legacy entitlement systems. As a result, the Army and DFAS\nhad to develop interfaces within LMP to prevalidate commercial payments. The entitlement\nprocess integration would have eliminated the need for a separate prevalidation system and\nwould reduce the need for some of the 50 full-time equivalent DFAS positions and prevalidating,\ndisbursing, and resolving unmatched disbursement for the Army in FY 2010.\n\nPrevalidation processing in LMP did not result in the recording of the proper accounts payable\nand ready-to-pay transactions. 9 Although LMP recorded the invoice and the required budgetary\naccounting entry upon receiving a prevalidation request, it did not determine whether the LMP\nactivity had previously recorded a receiving report and the associated accounts payable\ntransaction. LMP Project Office personnel stated that LMP tracked prevalidation requests using\nthe Authorization Reference Number provided by the prevalidation module, but LMP did not\nrecord the approval of these prevalidation requests as \xe2\x80\x9cDisbursements In-transit\xe2\x80\x9d (GLAC 2120)\nto recognize that LMP had approved the account payable transaction for payment. As a result,\nLMP did not create the ready-to-pay transaction file required by the U.S. Government Standard\nGeneral Ledger to reconcile to the disbursement transaction file once received. ASA(FM&C)\nshould develop a plan to implement the functionality in LMP to record the receipt and\nacceptance of goods and services, receipt of the invoice requesting payment, and allow LMP to\nperform the appropriate obligation matches as required by the Core Financial System\nRequirements.\n\nBecause disbursement transaction files did not identify the prevalidation requests approved for\ndisbursement by Authorization Reference Number, LMP could not reconcile the transactions and\nhad difficulty posting disbursement transactions to matching detailed obligations, creating\nunmatched disbursements. Examination of the more than 83,000 disbursements made in\nNovember 2010, determined that LMP posted unmatched disbursements for 8,244 transactions,\nvalued at about $339.5 million. A duplicate obligation (\xe2\x80\x9cZK\xe2\x80\x9d transaction) was created for each\nunmatched disbursement transaction it received. 10\n\nLMP automatically created a \xe2\x80\x9cZK\xe2\x80\x9d transaction without accounting office personnel first\nperforming the research required by DoD FMR, volume 3, chapter 11, \xe2\x80\x9cUnmatched\nDisbursements, Negative Unliquidated Obligations, and In Transit Disbursements,\xe2\x80\x9d\nNovember 2010, to determine whether a matching obligation existed. The creation of each \xe2\x80\x9cZK\xe2\x80\x9d\ntransaction required LMP users to record at least two additional LMP transactions once they\n\n\n9\n  Ready-to-pay means that the proper three-way match between the obligation, invoice, and receipt occurred and an\nindividual certified the payment as ready for transmission to a payment office for action.\n10\n  A \xe2\x80\x9cZK\xe2\x80\x9d transaction is a potential duplicative obligation established in LMP that matches disbursement received\nfrom a payment office for which a matching obligation can be readily identified. The \xe2\x80\x9cZK\xe2\x80\x9d transaction remains in\nLMP until manual research identifies the original obligation.\n\n\n                                                       17\n\n\x0cidentified the correct obligation, one transaction to reverse the \xe2\x80\x9cZK\xe2\x80\x9d transaction and another to\npost the disbursement to the correct obligation. LMP erroneously recorded the unmatched\ndisbursement transactions as a contract expense and cited funds from the associated LMP\n                                                        activities\xe2\x80\x99 allotment account (GLAC 4610)\n     LMP erroneously recorded the unmatched             for these pseudo obligations. The LMP\n      disbursement transactions as a contract           activities reversed the pseudo obligations\n    expense and cited funds from the associated         once they identified the matching\n         LMP activities\xe2\x80\x99 allotment account              obligations, which took from 1 day to more\n    (GLAC 4610) for these pseudo obligations.           than 1 year. An obligation previously\n                                                        existed in LMP for each of the 43 randomly\nselected unmatched disbursement transactions recorded in the November 2010 disbursement file\nwe selected for review. Dual posting of obligations reduced the availability of funds and could\ncause the Army to exceed its annual obligation authority and incur a potential violation of the\nAntideficiency Act.\n\nAs discussed previously, LMP contained no system controls or edit checks that would alert\nArmy managers when LMP activities attempt to process transactions that will cause the over\nexpenditure of their allotted obligation authority. ASA(FM&C) should direct AMC G-8 to\ndevelop the requirements in LMP to create a ready-to-pay file based on the LMP approval of\nprevalidation requests. ASA(FM&C) and AMC personnel should stop allowing LMP to create a\ntemporary obligation automatically for each disbursement it cannot match to a detailed\nobligation. LMP should record these transactions as unmatched disbursements and\nASA(FM&C) should require accounting activities to perform the research required to determine\nwhether they can identify the correct detailed obligation. If one exists, they should post the\ndisbursement to that obligation and, if not, they should take immediate actions to record the\nobligation.\n\nIneffective Monitoring of the Army Procure-to-Pay Business\nProcess\nArmy managers did not ensure that LMP activities and AMC managers monitored operations\nwithin the LMP P2P process. AMC managers did not revise quality assurance evaluations used\nin the legacy environment to assess controls implemented in the ERP environment. Evaluations\nof internal controls performed at the two activities relied on checklists developed before the\nimplementation of LMP. Consequently, these activity personnel did not adequately assess the\nLMP system controls and the manual P2P processes that the activities performed. In FY 2010,\nthe activities had performed some reviews that identified abnormal balances existed in their\ngeneral ledger accounts. However, the Army\xe2\x80\x99s departmental-level financial reporting processes\nmasked the abnormal account balances by netting the account balances of all the AWCF\nactivities and reported normal account balances on the AWCF financial statements. This\nprecluded senior Army resource and financial managers from properly gauging the results of\nnormal LMP business operations.\n\nHeadquarters AMC had not determined the internal control procedures and checklists needed to\nassess any of the LMP processes. During the audit, AMC managers established a working group\nto begin establishing the framework for a more robust internal control assessment of the LMP\n\n\n\n                                                18\n\n\x0cP2P business processes. ASA(FM&C) should direct AMC to develop a comprehensive internal\ncontrol program to assess the quality of LMP performance and regular management and\nsupervisory activities over the LMP P2P business process.\n\nConclusion\nArmy managers did not perform sufficient business process reengineering to implement the\nBEA\xe2\x80\x99s P2P business process within LMP successfully. Instead, the Army recreated most of the\nlegacy business processes within LMP, which did not correct the long-standing material\nweaknesses within the P2P business process. Army managers did not assess all offline systems\nand procedures used by the LMP activities to create, approve, and reconcile P2P transactions and\ndesign the LMP functionality needed to accomplish those tasks. As of August 31, 2011, LMP\nProject Office and AMC activities created numerous workarounds that resulted in LMP\nimplementing incorrect posting logic that resulted in abnormal balances and account\nrelationships of $10.6 billion. Army managers did not develop performance measures to assess\nLMP data and implement the corrective actions needed to resolve known problems.\n\nDual processing and posting of contract data, receiving reports, and invoices in both an\nentitlement system and LMP was inefficient, prone to errors, and obscured the audit trail back to\nsource documents and transactions. The lack of integrated LMP business processes required the\nArmy and DFAS to continue performing costly prevalidations to ensure proper obligation\nmatching required by the Core Financial System Requirements and reconciliations to maintain\nthe correct data between the systems. In addition, Army managers did not ensure that LMP\nactivities and AMC managers monitored operations within the LMP P2P business process. As\npart of the new Army ERP Strategy, the Director, Army OBT and ASA(FM&C) should develop\na plan of action and milestones to bring the LMP system into compliance with BEA P2P\nbusiness rules. The ASA(FM&C) should work with AMC G-8 to conduct a review of the LMP\nunobligated authority and determine whether an Antideficiency Act violation occurred when\nLMP activities appeared to exceed their AMC allotted authority. They also should redesign the\nLMP prevalidation process, stop automatically establishing obligations for unmatched\ndisbursements until activities accomplish proper reconciliation as required by the DoD FMR, and\ndevelop a system edit check that identifies when an activity exceeds the allotment contained in\nGLAC 4610. In addition, ASA(FM&C) should direct the AMC internal control managers to\ndevelop a comprehensive internal control program to assess the LMP P2P business process.\n\nRecommendations, Management Comments, and Our\nResponse\nA.1. We recommend that the Director, Army Office of Business Transformation and\nAssistant Secretary of the Army (Financial Management and Comptroller) develop a plan\nof action and milestones to bring the Logistics Modernization Program system into\ncompliance with the DoD Business Enterprise Architecture Procure-to-Pay business rules.\nSpecifically, as part of the Army Business System Information Technology Strategy, define\nthe Army\xe2\x80\x99s plans for developing effective and efficient Logistics Modernization Program\nsystem business processes that will:\n\n       a. Integrate the contracting and entitlement functions.\n\n\n                                               19\n\n\x0cDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that Army managers\nrecognize that opportunities exist to improve the efficiency of the LMP P2P processes. The\nASA(FM&C) stated that current process segmentation adds to interface complexity and error\nrates and is a source of abnormal balances. The ASA(FM&C) also stated that the LMP system\ndesign is normal for typical ERP implementation and the best practice is to reduce risk\nassociated with large implementation projects by first fielding a basic capability and then\ncapitalizing on investment via driving more functionality into the system. As part of the Army\nBusiness System Information Technology Strategy, Army managers will review the feasibility of\nintegrating additional P2P functionality within the LMP environment and will use the results of\nthe review to develop a plan of action and milestones addressing the viability of integrating\nadditional contracting and entitling functions, improving internal controls, and identifying\nadditional metrics and performance indicators. The plan of action and milestones will reflect\nlimitations imposed by the Department\xe2\x80\x99s BEA related to contract writing, vendor invoicing,\npayment entitlements, and disbursement processing.\n\nOur Response\nThe Army comments were partially responsive. In the Army plan of action and milestones,\nArmy managers should address how to reengineer the Army current business processes to\nremove or mitigate any limitations the Army believes are imposed by the BEA requirements and\nthen work with DoD senior leadership to implement the reengineered business processes. We\nrequest that the ASA(FM&C) provide additional comments on the final report, explaining how\nthe Army will implement the reengineered business processes.\n\n      b. Expedite a solution for resolving the in-transit inventory posting logic problems\nand correct abnormal balances.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that the December 2011\nsoftware release added capabilities for constructive receipts, automated in-transit inventory\naccrual processes, improved the derivation of the trading partner indicator, corrected posting\nlogic resulting in the reduction of abnormal balances, and improved access controls to prevent\ninaccurate cross-command postings. The ASA(FM&C) reported that these improvements\nresulted in a $1.9 billion reduction in abnormal balances between August 2011 and December\n2011.\n\nOur Response\nThe Army comments were responsive.\n\n       c. Reassess the system\xe2\x80\x99s accounts payable business process flow and posting logic\nand determine whether additional problems exist that cause abnormal balances. If so,\ndevelop the corrective actions needed to resolve those problems.\n\n\n\n\n                                              20\n\n\x0cDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that the feasibility\nreview and P2P plan of action and milestones will identify additional opportunities to enhance\nLMP P2P processing. The ASA(FM&C) stated that Army managers made significant changes\nduring 2011 that corrected the current configuration of transactions for contract authority,\ncorrected posting logic for credit card expenses, and enhanced configuration of Defense Travel\nSystem and Integrated Product-Support Vendor transactions. Additionally, the December 2011\nsoftware release added capabilities for constructive receipts, automated in-transit inventory\naccrual processes, and improved the derivation of trading partner indicator information. The\nASA(FM&C) also stated that the corrected posting logic resulted in the reduction of abnormal\nbalances and improved access controls to prevent inaccurate cross-command postings.\n\nOur Response\nThe Army comments were responsive.\n\n        d. Develop performance indicators to assist in identifying the potential for\nsignificant posting errors and develop responsive corrective actions.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that the Army will\nperform a feasibility review as part of the Army Business System Information Technology\nStrategy and use the results to develop a plan of action and milestones addressing additional\nmetrics and performance indicators.\n\nOur Response\nThe Army comments were responsive.\n\n       e. Develop the edit checks and business workflows needed to control and route\npurchase requests and Military Interdepartmental Purchase Requests to the appropriate\nindividuals for approval and funds certification. This should include:\n\n              (1) Associating fund codes and approval authority to an individual\xe2\x80\x99s\nassigned activity.\n\n              (2) Assigning certification of funds availability to a limited number of\nindividuals and developing the requirement for the system to limit funds certification to\nonly these individuals.\n\n               (3) Directing that fund managers establish commitments for purchase\nrequests at the time an activity releases the requests for obligation actions.\n\n             (4) Developing the functionality needed for separate individuals to create\nand accept Military Interdepartmental Purchase Requests within the system.\n\n\n\n\n                                               21\n\n\x0c               (5) Validating the data contained in the Program Activity Table and\nensuring that it is preparing manual documents correctly and developing compensating\ncontrols to validate the data integrity of manually created obligations.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that the Army will\ncontinue to leverage the Army Business System Information Technology Strategy and\ngovernance procedures to implement additional improvements as updates to the BEA and SFIS\nare published. The ASA(FM&C) stated that the Army is in requirements definition discussions\nfor Local Vendor Pay enhancements that will enable LMP to perform entitlement functions\ncurrently processed by other systems. These requirements include edit checks and business\nworkflows needed to control and route purchase requests and MIPRs through LMP to the\nappropriate individuals for approval and funds certification, management of vendor data, and\nentitlement functions. The Army expects to complete a requirements analysis by March 2012.\n\nOur Response\nThe Army comments were partially responsive. Although the ASA(FM&C) stated that the Army\nwill define requirements for the Local Vendor Pay enhancements, she did not specifically state\nhow her office will ensure that the enhancements will address the specific issues identified in the\nrecommendation. We request that the ASA(FM&C) provide additional comments on the final\nreport, explaining how the enhancements will resolve the deficiencies in processing purchase\nrequests and MIPRs.\n\n       f. Identify offline systems and procedures within the Procure-to-Pay phases,\nincorporate the functionality into the system, and discontinue the use of offline processes.\nIn situations where Army managers cannot immediately incorporate the functionality,\ndevelop compensating controls over non-integrated offline processes and restrict the\ncreation of manual commitment and obligation transactions to resource management\npersonnel.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that the Army will\ncontinue to leverage the Army Business System Information Technology Strategy and will\nreview the feasibility of integrating additional P2P functionality into LMP. The results of the\nreview will be used to develop a plan of action and milestones addressing the viability of\nintegrating additional contracting and entitling functions, improving internal controls, identifying\nand correcting abnormal balances relating to P2P transactions, and developing and tracking\nrequirements imposed by the Department\xe2\x80\x99s BEA related to contract writing, vendor invoicing,\npayment entitlements, and disbursement processing.\n\nOur Response\nThe Army comments were partially responsive. Although the ASA(FM&C) stated that the Army\nwill develop a plan of action and milestones, she did not state that the Army will develop\ncompensating controls for nonintegrated offline processes and restrict the creation of manual\ncommitment and obligation transactions to resource management personnel. We request that the\n\n\n\n                                                22\n\n\x0cASA(FM&C) provide additional comments on the final report, explaining how the Army will\nensure that proper compensating controls are developed until related functionality is incorporated\ninto LMP.\n\ng. Develop functionality within the system to capture and record the actual vendor invoice\ndate, vendor invoice number, and date of invoice receipt at the paying station. Also,\ndevelop the data fields needed to record separately the actual receipt and acceptance dates\nfor goods and services.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that the plan of action\nand milestones will reflect limitations imposed by the Department\xe2\x80\x99s BEA related to contract\nwriting, vendor invoicing, payment entitlements, and disbursement processing. The\nASA(FM&C) also stated that Army managers are currently in requirements definition\ndiscussions for Local Vendor Pay enhancements, which would enable LMP to perform vendor\npayment functions.\n\nOur Response\nThe Army comments were partially responsive. The ASA(FM&C) did not identify how the\nArmy will develop functionality within LMP to capture and record the actual vendor invoice\ndate, vendor invoice number, and date of invoice receipt at the paying station. Also, the\nASA(FM&C) did not identify how the Army will develop the data fields needed to record\nseparately the actual receipt and acceptance dates for goods and services. Dual processing and\nposting of contract data, receiving reports, and invoices in both an entitlement system and LMP\nwas inefficient, prone to errors, and obscured the audit trail back to source documents and\ntransactions. We request that the ASA(FM&C) reconsider her response to this recommendation\nand provide additional comments on final report, addressing how LMP will capture the\nappropriate invoice and receiving data needed to support obligation matching and prompt\npayment requirements.\n\n       h. Develop the ability to identify all documents related to Procure-to-Pay\ntransactions within a single system query.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that as part of the Army\nBusiness System Information Technology Strategy, the Army will review the feasibility of\nintegrating additional P2P functionality within the LMP environment. The results of the review\nwill be used to develop the plan of action and milestones.\n\nOur Response\nThe Army comments were partially responsive. The ASA(FM&C) identified the need to\ndevelop a plan of action and milestones to address this recommendation. However, she did not\naddress how or when the Army will address implementing LMP functionality to identify all\ndocuments related to the P2P transactions using a single query. The Core Financial System\nRequirements state that systems must provide the capability to perform a query that would list all\n\n\n\n                                               23\n\n\x0crelated documents and transactions in the processing chain for document referencing and audit\ntrail purposes. The absence of actual invoice numbers, P2P processing dates, and disbursement\nvoucher information prevented activities from using LMP to detect duplicate payments and\nvalidate that payments complied with the Prompt Payment Act. We request that the\nASA(FM&C) reconsider her response to this recommendation and provide additional comments\non the final report, addressing how the Army will implement this query function within LMP.\n\n   i. Develop a ready-to-pay file based on the system\xe2\x80\x99s approval of prevalidation\nrequests.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that as part of the Army\nBusiness System Information Technology Strategy, the Army will review the feasibility of\nintegrating additional P2P functionality within the LMP environment. The results of the review\nwill be used to develop the plan of action and milestones.\n\nOur Response\nThe Army comments were partially responsive. The ASA(FM&C) identified the need to\ndevelop a plan of action and milestones to address this recommendation. However, the\nASA(FM&C) did not specifically address the Army\xe2\x80\x99s plan for developing LMP processes that\nwill create a ready-to-pay file based either on an approved prevalidation request or invoices\napproved through the integrated entitlement function being developed in LMP. Implementing\nthe functionality in LMP to record the receipt and acceptance of goods and services and the\nreceipt of the invoice requesting payment will allow LMP to perform the appropriate obligation\nmatches as required by the Core Financial System Requirements. The Disbursements In-Transit\ngeneral ledger account (GLAC 2120) should liquidate an existing accounts payable transaction\nbased on the certification and transmission to a disbursing activity of that invoice for payment.\nGLAC 2120 should be liquidated upon the posting of a related disbursement transaction returned\nby the disbursing station. We request that the ASA(FM&C) reconsider her response to this\nrecommendation and provide additional comments on the final report, explaining how the Army\nwill develop the required LMP functionality.\n\nA.2. We recommend that the Assistant Secretary of the Army (Financial Management and\nComptroller) direct the Army Materiel Command G-8 to:\n\n       a. Conduct a review of the unobligated authority general ledger account balances to\ndetermine whether an Antideficiency Act violation occurred, and take actions to correct\nthe abnormal balances and posting logic problems related to the accounts.\n\n       b. Modify the Logistics Modernization Program system to cease the automatic\nobligation of unmatched disbursements until activities accomplish proper reconciliation as\nrequired by the DoD Financial Management Regulation.\n\n       c. Develop a system edit check that identifies when an activity exceeds the allotment\ncontained in General Ledger Account Code 4610 and require activities to report each\n\n\n\n                                               24\n\n\x0coccurrence to the Office of Assistant Secretary of the Army (Financial Management and\nComptroller) for immediate resolution.\n\nDepartment of the Army Comments\nThe ASA(FM&C) agreed and stated that she will direct Headquarters AMC to work with DFAS\nColumbus to review the unobligated authority general ledger accounts balances for all LMP\nactivities and determine if any have exceeded their obligation authority. If this review discloses\nthe potential for an Antideficiency Act violation, appropriate action will be taken. Abnormal\nbalances disclosed by the review will be corrected. The Army will complete the review by\nJune 2012. In addition, the Army conducted a workshop in March 2012 to determine a\ncompliant LMP process and discontinue the automatic obligation process for unmatched\ndisbursements. The ASA(FM&C) also stated that the Army will use existing reports to better\nmonitor and flag potential issues with GLAC 4610, \xe2\x80\x9cAllotments.\xe2\x80\x9d The Army will include\nmilestones related to these actions in the P2P plan of action and milestones developed in\nresponse to Recommendation A.1.\n\nOur Response\nThe Army comments were responsive.\n\nA.3. We recommend that the Assistant Secretary of the Army (Financial Management and\nComptroller) direct the development of a comprehensive internal control program for the\nLogistics Modernization Program Procure-to-Pay business process to assess the quality of\nperformance and regular management and supervisory activities over the business process.\nArmy managers should work with Logistics Modernization Program Project Office\npersonnel to ensure that they design and implement the necessary procedures and controls\nand develop the testing needed to ensure control effectiveness.\n\nDepartment of the Army Comments\nThe ASA(FM&C) agreed and stated that the Army will assess key controls supporting all\nFinancial Improvement and Audit Readiness assessable units, including those related to P2P\nactivities, as part of the Army Financial Improvement Plan audit readiness discovery and\nevaluation activities. The assessment will determine the effectiveness of the design and\noperation of applicable controls and identify corrective actions required to bring controls into\ncompliance with audit standards. The ASA(FM&C) also stated that the assessment might also\nrecommend establishing a standard performance objective for those managers and supervisors\nworking P2P processes. These actions will be completed during FY 2013.\n\nOur Response\nThe Army comments were responsive.\n\n\n\n\n                                                25\n\n\x0cFinding B. Logistics Modernization Program\nSystem Access Controls Were Ineffective\nArmy managers did not establish LMP Functional Security Roles (FSRs) and other system\naccess procedures to ensure proper data integrity of the P2P business process. This occurred\nbecause they did not provide effective oversight over the development and implementation of the\nLMP FSR templates. Specifically, Army managers did not:\n\n     \xe2\x80\xa2\t develop a risk matrix that alerts managers of potential segregation of duties and least\n        privilege conflicts caused by assigning multiple LMP transaction screens within FSR\n        templates,\n     \xe2\x80\xa2\t develop adequate policies and procedures to ensure that system administrators and user\n        supervisors effectively administered user access, and\n     \xe2\x80\xa2\t perform periodic reviews of LMP user access.\n\nAs a result, the two activities we visited assigned 624 users FSRs that would cause segregation\nof duties conflicts. In addition, users had more access than required and were granted access to\nperform functions without proper authorizations. Further, LMP User Account Management\n(UAM) administrators had not resolved or removed over 7,000 suspended user accounts. The\nadministration of user access placed LMP data at an increased risk for unauthorized and\nfraudulent use.\n\nSystem Compliance with Federal Information Security\nManagement Act\nPublic Law 107-347, \xe2\x80\x9cE-Government Act of 2002,\xe2\x80\x9d December 17, 2002, Title III, enacted\nFederal Information Security Management Act (FISMA) of 2002 and required each Federal\nagency to develop, document, and implement an agency-wide program that provides security for\nthe information and systems supporting that agency\xe2\x80\x99s operations and assets. FISMA required\nthat the National Institute of Standards and Technology (NIST) develop and issue standards,\nguidelines, and other publications to assist Federal agencies in implementing and managing cost-\neffective programs to protect their information system data. NIST Special Publication 800-53,\nRevision 3, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems and\nOrganizations,\xe2\x80\x9d May 2010, addressed specific requirements for implementing proper separation\nof duties, least privilege, and account management. 11 See Glossary for a definition of these\nterms. The NIST requirements related to segregation of duties, least privilege access, and\naccount management provide the indicators of how well LMP safeguarded data integrity.\n\nRole-Based Access Control Model\nNIST Information Technology Laboratory Bulletin, \xe2\x80\x9cAn Introduction to Role-Based Access\nControl,\xe2\x80\x9d December 1995, defined guidance for developing a role-based access control model.\n\n\n11\n  Internal control standards issued by the GAO refer to segregation of duties. NIST publications refer to separation\nof duties instead of segregation of duties. Within the report, we use segregation of duties.\n\n                                                         26\n\n\x0cThe model required Army managers to perform a thorough analysis of how an entity operated\nand how users functioned within an entity. The model also allowed access control policies to\nalign with the organizational lines of authority and responsibilities of the individual users. The\nmodel provided an effective means for developing and enforcing LMP specific security polices,\nincluding segregation of duties and least privilege, and for streamlining the account management\nprocess. FSR templates identify the access and authorizations granted to a user and are\nassociated with the user profiles in the commercial software. When designed properly, each FSR\ntemplate should contain the minimum set of privileges required to perform assigned tasks or\nfunctions.\n\nDeveloping Logistics Modernization Program Functional Security\nRole Templates\nAs of August 4, 2011, the LMP Project Office had developed 376 FSR templates to assign LMP\nuser access. Each template incorporates the applicable transaction screens needed to perform\nstandard LMP functions. 12 For example, FSR template \xe2\x80\x9cR/3 ACQ Change Purchase Requisition\nNB ZB\xe2\x80\x9d provides the ability to modify a purchase request using the ME52N transaction screen.\nThe template also allows users to view any LMP purchase request using the ME53N transaction\nscreen. See Appendix F, Table F-1 for titles of transaction screens. The LMP Project Office\nworked with the UAM managers from each LMP activity to tailor the FSR templates to the\nfunctions performed within each AWCF activity.\n\nIssuance of Army Materiel Command User Access Policy\nDuring 2007, AMC, G-3, issued the LMP End User Access and Account Management Policy\n(LMP User Access Policy), which designated the Enterprise Integration Directorate as the\noverall policy administrator for LMP user access and account management. The policy assigned\nthe commander at each LMP activity the responsibility to appoint an UAM manager to oversee\nand manage the activity\xe2\x80\x99s LMP system access.\n\nSegregation of Duties and Least Privilege Controls\nArmy managers did not establish the proper data integrity controls to resolve segregation of\nduties and least privilege conflicts when they provided the requirements the LMP Project Office\nused to develop the LMP FSR templates. 13 The LMP Project Office used the role-based access\nmodel for developing the FSR templates and designed the FSR templates to accomplish the\nspecific job functions as defined by AMC managers. It had also designed specific FSR templates\nas \xe2\x80\x9cRestricted\xe2\x80\x9d to allow activities to limit access to certain transaction screens to only those users\nneeding to accomplish a specific task for limited periods. For example, the LMP Project Office\ncreated restricted FSR templates that limited the ability of users to modify the LMP vendor\nmaster information or approve certain transactions, such as employee timesheet data. Restricted\n\n\n12\n  Each function may have one or more LMP transaction screens associated with it. Each transaction screen may\nrequire the access for one or more authorization fields and was identified by a unique code consisting of letters and\nnumbers.\n13\n Least privilege requires that activities assign user access based upon the minimum access that a user requires\nwhen performing the tasks assigned by business function and organization.\n\n                                                         27\n\n\x0cFSR templates required an additional level of approval from the Business Transformation Lead\nresponsible for that business process at each LMP activity. However, Army managers did not\nadequately map each of the individual FSRs they created to the P2P business process.\nConsequently, they had limited assurance that segregation of duties or least privilege conflicts\nwould not occur when they created individual FSR templates or when authorized individuals at\nAWCF activities assigned multiple FSRs to users.\n\nAssessing Templates for Procure-to-Pay Business Process Conflicts\nArmy managers did not determine which transaction screens, when assigned together, caused\nsegregation of duties conflicts. At least 82 of the 302 FSR templates had a direct relationship to\nthe P2P business process and 13 of the 82 FSR templates contained the LMP transaction screens\nthat allowed users to record the receipt of goods or services function (MIGO or ZIGO). Of the\n13 FSR templates, 7 contained inherent segregation of duties conflicts. For example, the FSR\ntemplate \xe2\x80\x9cR/3 IMWM Goods Movement\xe2\x80\x9d inappropriately allowed the Receiving Specialist,\nMRP Planner/Buyer, or Warehouse Specialist to change a purchase order (ME22N), record the\nreceipt of goods or services (MIGO or ZIGO), transfer goods (MB1B), and adjust the inventory\nwithin the warehouse (MB1A). The combination of these transaction screens created a\nvulnerability to unauthorized and fraudulent transactions because LMP users with this access\ncould change purchase orders, enter the goods receipts, and change inventory records. The two\nAWCF activities we visited had assigned 624 users one or more of these seven FSR templates,\n                                                    which contained the ZIGO or MIGO\n     The two AWCF activities we visited had         transaction screens and another transaction\n     assigned 624 users one or more of these        screen that created an inherent segregation of\n   seven FSR templates, which contained the         duties conflict. Appendix F explains the\n     ZIGO or MIGO transaction screens and           potential segregation of duties conflicts that\n   another transaction screen that created an       could exist within the P2P business process,\n      inherent segregation of duties conflict.      and Table F-1 identifies the LMP transaction\n                                                    screens that could pose conflicts. Because\nArmy managers did not define the FSR requirements and identify potential conflicts, the UAM\nmanagers did not have the ability to train their administrators and supervisors on how to assign\nsystem access correctly.\n\nIn addition, some FSR templates did not comply with specific laws and regulations to ensure the\nsystem maintained data integrity. For example, commanders at both the LCMC and Depot did\nnot ensure that the process to assign 13 FSRs that performed receipt of goods or services\nfunction (MIGO and ZIGO) was assigned to only those individuals appointed in writing as a\nDesignated Accountable Official by the LMP activity\xe2\x80\x99s commander. This written appointment\nwas necessary to comply with DoD FMR, volume 5, chapter 33, \xe2\x80\x9cCertifying Officers,\nDepartmental Accountable Officials and Review Officials,\xe2\x80\x9d August 2010. UAM administrators\nor supervisors were then able to validate that the users were appointed to fulfill this requirement\nbefore granting them access to perform these functions. As a result, the LMP activities had not\nimplemented the requirements of the Certifying Officers\xe2\x80\x99 Legislation and could not hold the\nLMP users performing receipt and acceptance functions accountable for improper payments\nresulting from the data they provided to entitlement systems. Without identifying the conflicts\nand other regulatory requirements needed to perform business events within LMP, activities\nunknowingly subjected LMP to data integrity problems and potential compromise. Army\n\n                                                28\n\n\x0cmanagers should determine the impact of regulatory requirements, such as the Departmental\nAccountable Official Legislation, on the development and issuance of FSR templates.\nSupervisors and system administrators should ensure the proper appointment of all users before\ngranting access to the templates.\n\nDeveloping a Risk Matrix of Potential Conflicts\nArmy managers did not develop a risk matrix that assessed the assignment of LMP transaction\nscreens within templates used during the P2P business process for potential segregation of duties\nconflicts. The BEA business rules provided specific guidance on how functions related to the\nP2P business process needed to be assigned and highlighted potential segregation of duties\nconflicts that could exist. Army managers did not assess the risk of assigning each of the LMP\ntransaction screens used in the P2P business process to ensure that the LMP Project Office\ndeveloped FSR templates that segregated duties correctly. Army managers should have\ndeveloped a risk matrix, which identified each transaction screen within the P2P business process\nand highlighted transaction screens, when assigned together, would create a segregation of duties\nconflict. Table 2 is a sample of risk matrix related to the LMP P2P business process in which a\ndot denotes pairs of transaction screens that would create a conflict if assigned to the same user.\n\n                        Table 2. P2P Transaction Screen Risk Matrix\n\n LMP\nScreen        ME51N             ME52N             MIGO             ZIGO         XK01\nME51N                                               \xe2\x80\xa2                \xe2\x80\xa2            \xe2\x80\xa2\n\nME52N                                                 \xe2\x80\xa2               \xe2\x80\xa2            \xe2\x80\xa2\n\nMIGO               \xe2\x80\xa2                \xe2\x80\xa2                                              \xe2\x80\xa2\n\nZIGO               \xe2\x80\xa2                \xe2\x80\xa2                                              \xe2\x80\xa2\n\nXK01               \xe2\x80\xa2                \xe2\x80\xa2                 \xe2\x80\xa2               \xe2\x80\xa2\n\n\nArmy managers should have worked with LMP personnel to map the templates to the P2P\nbusiness process and identify which FSR templates, when assigned together, would create\nconflicts. For example, as shown in Table 2, LMP users who could record the receipt goods and\nservices (MIGO and ZIGO) should not also have access to create or modify purchase requests\n(ME51N or ME52N) or update the Vendor Master (XK01) to prevent unauthorized transactions\nthat could go undetected. Army managers should then have determined whether they needed to\nseparate the functional authorities in the templates to prevent segregation of duties conflicts or\ndevelop compensating controls to monitor the potential conflict created within the template.\nArmy managers should perform a risk assessment of the LMP transaction screens assigned\nwithin the FSR templates to minimize the potential for segregation of duties conflicts.\n\n\n\n\n                                                29\n\n\x0cAssigning Users Multiple Functional Security Role Templates\nResulted in Conflicts\nUAM administrators and supervisors created additional segregation of duties and least privilege\nconflicts when assigning the FSR templates to employees. At the two activities visited, UAM\nadministrators and supervisors stated that they were unaware of a requirement to administer FSR\ntemplates based upon segregation of duties and least privilege concepts, and they did not know\nwhich FSR templates could create a conflict. As of November 2010, UAM administrators at the\ntwo activities visited had assigned 10 or more FSRs to 1,998 of the 3,513 LMP users, while more\nthan 850 of the 3,513 LMP users had 25 or more FSRs assigned to them. Although users\nrequired a certain number of FSRs to accomplish day-to-day tasks, the assignment of 25 or more\nFSRs appeared to indicate that Army managers did not design the FSR templates properly for\nconducting the LMP business process and did not achieve the role-based system access control\nneeded to maintain data integrity.\n\nThe assignment of multiple FSRs to a user could create a least privilege conflict if they were not\nnecessary for the individual to perform job responsibilities. For example, the Depot assigned one\nuser the FSR \xe2\x80\x9cR/3 IMWM [Restricted] CCI Movement.\xe2\x80\x9d This FSR allowed for the transfer of\ncryptographic items. Of the transactions available within this FSR template, the user informed\nus that they only required transaction screen ZMMBE (Stock Overview). However, the template\nalso contained access to transaction screens to create and modify purchase orders (ME21N and\nME22N), create equipment (IE01) as used within plant maintenance, and change outbound\ndelivery documents (VLO2N). The user did not require any of these transaction screens to\nperform her job. The assignment of excess access caused a least privilege conflict. The need for\nmost users to have the functional authorities in multiple FSR templates demonstrated that Army\nmanagers had not effectively mapped the FSR templates to the P2P business process. They also\ndid not provide the UAM administrators and user supervisors with sufficient guidance on how to\nassign multiple FSR templates to an individual user without causing least privilege and\nsegregation of duties conflicts.\n\nAMC personnel should map each FSR template created to the BEA P2P process to determine the\nexistence of potential segregation of duty and least privilege conflicts. If conflicts exist, they\nshould reassign the transaction screens to other FSR templates as necessary to prevent conflicts.\nOnce this assessment is completed, managers should redesign the templates to cover the specific\njob functions performed at each LMP activity and limit user access to only those transaction\nscreens needed to perform specific functions.\n\n\n\n\n                                               30\n\n\x0cImplementing Other System Controls to Prevent Conflict\nAMC managers stated that they had not developed or implemented other types of LMP system\ncontrols that would prevent UAM administrators and supervisors from assigning FSRs, that\nwhen combined, created conflicts. The commercial software package contains a Governance,\nRisk, and Compliance module, which helps prevent unauthorized access and achieve real time\nvisibility into access risk. Army managers stated that they have identified the need for the\nmodule but have not yet funded its purchase. AMC should either purchase the system software\nor identify and develop other system controls needed to assist in identifying excessive or\nunauthorized access.\n\nDeveloping Consistent Account Management Policy and\nProcedures\nAlthough AMC developed an LMP User Access Policy, it did not provide LMP activities with\n                                               the detailed procedures to implement the policy.\n   The LMP User Access Policy did not          The LMP User Access Policy did not identify a\n       identify a preferred method for         preferred method for controlling system access,\n    controlling system access, assigning       assigning FSRs to users based on specific job\n     FSRs to users based on specific job       descriptions, or defining FSR templates that when\n  descriptions, or defining FSR templates      assigned together created potential segregation of\n    that when assigned together created        duties or least privilege conflicts. In addition, the\n  potential segregation of duties or least     policy did not contain adequate procedures to\n              privilege conflicts.             ensure that the UAM administrators implemented\n                                               the NIST account management requirements. NIST\nrequires that an information system have the ability to identify authorized system users and\nspecify user access privileges. NIST also requires appropriate officials to establish accounts and\nfor organizations to activate, modify, disable, and remove accounts and notify account managers\nwhen users are terminated or transferred and deactivate accounts of terminated or transferred\nusers. The two LMP activities visited developed unique procedures for administering user\naccess. The Depot and LCMC did not consistently or appropriately:\n\n   \xe2\x80\xa2   administer the management of user FSRs,\n   \xe2\x80\xa2   adjust access based on changing job assignments,\n   \xe2\x80\xa2   remove access when an individual left the organization or lost their security clearance, or\n   \xe2\x80\xa2   review assigned user access on a regular basis.\n\nThere was also a lack of consistency on how the two activities performed UAM account\nmanagement. The Depot employed a single part-time UAM administrator who used a mostly\nmanual process to manage LMP user access. The six full-time UAM administrators at the\nLCMC used an offline database to track supervisor approval and manage LMP user access. Both\nactivities had control weaknesses in how the UAM administrators controlled system access.\n\nLetterkenny Army Depot System Access\nThe Depot UAM administrators and managers did not effectively establish and maintain user\naccess. As of November 1, 2010, the Depot UAM administrator had assigned 943 users between\n\n\n                                                31\n\n\x0c2 and 95 of the 179 FSR templates that Depot managers determined applicable for use. Of those\n943 users, 254 users had 25 or more FSRs assigned to them. The Depot used a mostly manual\nprocess for granting system access that started with the supervisor submitting a request form to\nthe UAM administrator. The UAM administrator reviewed the FSRs in the request and routinely\ngranted the system access unless the supervisor requested \xe2\x80\x9cRestricted\xe2\x80\x9d FSRs. The UAM\nadministrator forwarded any requests for \xe2\x80\x9cRestricted\xe2\x80\x9d FSRs to the Depot\xe2\x80\x99s LMP Transformation\nChief for additional approval. However, the UAM administrator did not maintain an automated\ndatabase that supervisors could use to identify the FSRs already assigned to an employee. In\naddition, there was no automated method to notify the UAM administrator when users left the\nDepot or changed assignments that affected the FSR assignments.\n\nTo assist us in determining whether adequate LMP system access controls existed at the Depot,\nwe surveyed a sample of the 943 user accounts. See Appendix G for details on how we\nconducted the survey. Although most users thought they had the access needed to perform their\njobs, we estimated that:\n\n       \xe2\x80\xa2\t 391 users were unaware of all the FSRs and transaction screens assigned to them (a\n          potential least privilege conflict),\n       \xe2\x80\xa2\t 885 users had at least one FSR assigned that they did not use (a potential least privilege\n          conflict), and\n       \xe2\x80\xa2\t 140 users had potential segregation of duties conflicts. For example, some users had the\n          ability to create and update purchase requests and purchase orders and receive goods.\n          Other respondents could perform purchasing functions as well as receive, accept, transfer,\n          and write-off goods. 14\n\nThe UAM administrator was also able to assign FSRs to herself. She had this access to perform\nthe other tasks assigned to her, such as working with the material master, clearing transactions,\nand making mass updates of information within the system (system cleansing). LMP Project\nOffice and AMC G-3 personnel stated that there was no policy prohibiting UAM administrators\nfrom assigning access to themselves. These personnel also stated that other LMP activities\nallowed UAM administrators to assign FSRs to themselves to perform activity workload. AMC\nmanagers could not identify any compensating controls they implemented to monitor the FSRs\nassigned to the Depot\xe2\x80\x99s UAM administrator. The ability of the UAM administrators to assign\nFSRs to themselves without higher level monitoring makes LMP data vulnerable to fraud and\nabuse that could go undetected by Army managers. AMC G-3 should work with LMP activities\nto control UAM administrator roles and prevent administrators from assigning FSRs to\nthemselves, or develop appropriate compensatory controls.\n\nAviation and Missile Life Cycle Management Command System\nAccess\nThe LCMC did not implement effective LMP account management for establishing and\nmaintaining user access. As of October 18, 2010, the LCMC UAM administrators had assigned\n2,570 users between 1 and 95 of the 162 FSR templates determined applicable for use by LCMC\n\n\n14\n     See Appendix G for sample methodology and projections.\n\n                                                       32\n\n\x0cpersonnel. The LCMC had an offline database that tracked user access requests and supervisor\napprovals. However, the UAM administrators did not keep the information in the database up\xc2\xad\nto-date, making the offline database an ineffective tool for managing accounts. Interviews with a\nlimited number of users, supervisors, and UAM administrators, and reviews of documentation\nidentified the following control weaknesses.\n\n   \xe2\x80\xa2\t By assigning users more FSRs than they needed to perform their assigned functions,\n      UAM administrators and supervisors caused least privilege conflicts.\n\n   \xe2\x80\xa2\t UAM administrators did not reconcile the FSR information between the offline database\n      and LMP. As a result, the access contained in the offline approval database did not\n      always match what the administrator had actually granted in LMP. For example, an\n      individual to whom the administrator had assigned 95 FSRs in LMP, had only 61 FSRs\n      assigned by the supervisor in the offline database. The discrepancy occurred when the\n      UAM administrator removed a user\xe2\x80\x99s access from the offline database upon reassignment\n      of the individual to a new supervisor. However, the UAM administrator did not remove\n      the access to the FSRs from LMP. Consequently, the user had more system access than\n      intended.\n\nAdjusting System Access for Reassigned User\nThe LMP User Access Policy did not provide UAM administrators and user supervisors with the\ndetailed procedures they needed to ensure that activities controlled the reassignment of LMP\nusers. The LMP User Access Policy directed supervisors to review assigned FSRs periodically\nand, based on that review, request necessary changes to user access. However, supervisors were\nnot routinely informing the UAM administrators that a user\xe2\x80\x99s access to FSRs was no longer\nneeded and required removal. At both activities visited, problems existed with how supervisors\nimplemented the policy. For example:\n\n   \xe2\x80\xa2\t Supervisors allowed users to accumulate a large number of FSRs as they transferred\n      between job assignments within the activity. Former supervisors generally did not\n      request the removal of the FSRs assigned to a user before the user departed an activity,\n      and the acquiring supervisor did not review the FSR templates previously assigned to a\n      user before approving access to additional FSRs for that user. For example, we identified\n      a user reassigned from an inventory management function to accounts receivable and\n      project management function. The user\xe2\x80\x99s supervisor did not notify the UAM\n      administrator of the job change so that the UAM administrator could adjust the FSRs\n      assigned to the user. The combination assigned to this user provided the user with\n      excessive access. The user, who had access to the cash receipt and allocation\n      transactions, had the ability to create customer orders, purchase orders, receipt of goods,\n      and inventory adjustments. The user could also generate letters requesting customer\n      payment. The UAM administrator removed the extra access when notified of this\n      situation. However, the user could have performed system actions that might have\n      resulted in a loss of funds or misappropriation of assets.\n\n   \xe2\x80\xa2\t UAM administrators did not routinely review the accuracy of the information in the\n      offline database or use other tracking mechanisms to ensure that users did not have extra\n\n                                               33\n\n\x0c       access. A review conducted by the LCMC UAM administrators identified 79 users who\n       had been assigned to more than one office by the LCMC. The UAM administrators took\n       immediate actions to adjust the access provided to the 79 users.\n\n   \xe2\x80\xa2\t User access was not consistent with the tasks assigned. For example, a user at the\n      LCMC, whose main responsibility was to enter high priority requests for repair parts\n      from stock on hand within the LMP sales order module, also had FSRs to create and\n      change certain types of purchase requisitions and purchase orders, receive goods, return\n      goods to vendors, and dispose of goods. This user had no need to perform any of these\n      additional functions. This happened because supervisors granted users more access than\n      required for their assigned functions. In addition, UAM administrators did not review\n      user access recorded in the offline database closely enough to identify access no longer\n      required.\n\nArmy Materiel Command Activities Were Not Performing Periodic\nAccess Reviews of Logistics Modernization Program System Access\nManagers at all levels did not conduct periodic reviews of LMP system access placing the\nsystem at risk for potential misuse. The NIST standard requires that organizations define the\nfrequency of conducting user access reviews. The LMP User Access Policy states that LMP\nactivities should conduct system access reviews on an annual basis. However, neither the two\nLMP activities visited nor Army managers were able to provide documentation showing that\nthey had conducted reviews of system access. UAM administrators confirmed that it was the\nsupervisor\xe2\x80\x99s responsibility to review system access. However, the supervisors we spoke with at\nthe two activities visited stated that they were unaware of the requirement for periodic reviews.\n\nUser Access Removal Was Not Properly Performed\nLMP User Access Policy directed supervisors to request removal of access for all employees\nleaving their work unit through transfer or termination or because of the loss of their security\nclearance. Supervisors at the two activities were not routinely removing LMP system access as\nrequired, including those users that were inactive. At the Depot, 4 of 78 sampled users had left\nthe Depot or had their security clearance removed between February 1, 2010, and September 30,\n                                               2010, but still had an LMP access account as of\n   Depot records showed that 265 of the        November 1, 2010. The UAM administrator\n     943 total user accounts were in an        removed the four user accounts when we informed\n               inactive status.                her of the situation. This lack of control places the\n                                               system at risk for potential misuse. Depot records\nshowed that 265 of the 943 total user accounts were in an inactive status. There was no\ndocumentation showing which accounts required permanent deactivation or were simply inactive\ndue to non-use. LMP automatically placed a user in inactive status after 90 days of inactivity.\nSystem access procedures require a review at regular intervals of all user accounts suspended due\nto inactivity. The UAM administrator should have conducted a review of inactive users to\ndetermine whether the users still required system access or if they had left the Depot and their\nuser account required permanent deactivation. Not performing this function demonstrated\nineffective account management. The Depot UAM administrator stated that she did not conduct\n\n\n\n                                                34\n\n\x0creviews and that inactive users remained within LMP until Human Resources Office personnel\nor a supervisor notified the administrator that the Depot had reassigned the user or the user had\ndeparted the Depot.\n\nThe LCMC UAM administrators also did not have a procedure in place to monitor users in an\ninactive status. As of April 6, 2011, the LCMC had 1,448 inactive system access accounts. As\n                                            of June 30, 2011, 21,620 users had LMP system\n   As of June 30, 2011, 21,620 users had    access. However, LMP had suspended\n    LMP system access. However, LMP         7,787 system access accounts due to inactivity. In\n    had suspended 7,787 system access       response to our audit concerns, the two activities\n         accounts due to inactivity.        updated some of their user access and removed\ninactive users. As of August 4, 2011, the Depot had reduced the number of total users from\n943 to 725 and reduced inactive users from 265 to 48. As of August 8, 2011, the LCMC had\n1,361 inactive users.\n\nWhile the LMP User Access Policy does not specifically address the need for the UAM\nadministrators to review inactive accounts, Army Regulation 25-2, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d\nOctober 24, 2007, requires information assurance support personnel to terminate inactive\naccounts verified as no longer required after 45 days. The LMP User Access Policy should\nrequire the UAM administrator to perform regular reviews of system access accounts suspended\ndue to inactivity. UAM administrators should work with supervisors to ensure that users have\nthe access they require and to remove unneeded user access accounts from the system.\n\nUser Access Oversight Was Not Effective\nArmy managers did not provide sufficient oversight of LMP user access. Army managers had\nnot developed the guidance and internal control checklists or other control documentation\nrequired to assess compliance with LMP access policies. Additionally, no one at any level could\nprovide documentation for any review performed of system access controls since LMP\nimplementation in July 2003. Headquarters, AMC Internal Review Office personnel stated that\nthey had not yet developed a program for assessing LMP system access controls. Without a\nrobust internal control review process to monitor LMP user access, LMP managers had limited\nassurance that they developed adequate system controls that were operational effective to\nmonitor system access requirements. ASA(FM&C) should work with AMC to develop the\nstandards and guidance for implementing and monitoring the internal control requirements for\naccount management, segregation of duties, and least privilege.\n\nArmy Materiel Command Taking Actions to Update Account\nManagement\nIn March 2011, AMC personnel stated that they were revising the LMP User Access Policy. The\nnew policy was to contain updated procedures to assist UAM managers in effectively managing\nLMP system access controls. Once updated, AMC personnel stated that they would be providing\nadditional training on the new policy to UAM managers, UAM administrators, and activity\npersonnel. They also stated that AMC had assembled a team to create internal control checklists\n\n\n\n\n                                                35\n\n\x0c for activities to use in assessing system access controls. These actions are necessary to\nstrengthen the process and more consistently administer the LMP system access policy. AMC\nplans to issue a new access policy in FY 2012.\n\nTo help ensure the consistent administration of system access, AMC should supplement the\nupdated policy with detailed procedures on how UAM administrators and supervisors should\nassign FSRs to users. The procedures should provide for the use of an automated database, such\nas the one used at the LCMC, to track system access approvals and reconcile to FSRs granted to\nusers in LMP. AMC should develop procedures to ensure notification of the UAM\nadministrators of any personnel action that could result in adjusting an LMP user\xe2\x80\x99s access. The\nprocedures should require the appointment of at least one full-time UAM administrator at each\nactivity who is responsible for monitoring system access daily, resolving problems such as\nsystem inactivity, and validating that approved roles do not create conflicts. Once AMC updates\nthe LMP User Access Policy with detailed procedures, UAM managers should train UAM\nadministrators and supervisors on how to properly assign user FSRs and assess the templates to\ndetermine if specific functional roles must be modified or new templates created to perform the\nactivities mission. In addition, AMC should periodically provide centralized training on FSR\nadministration for all UAM managers, UAM administrators, and user supervisors\xe2\x80\x94specifically,\ntraining on account management, segregation of duty, and least privilege controls.\n\nConclusion\nLMP FSRs and other system controls did not properly safeguard P2P data processing. Army\nmanagers did not develop a risk matrix that assessed the assignment of LMP transaction screens\nwithin FSR templates, and the processes used to develop and implement the FSRs did not\nestablish controls over segregation of duties and least privilege conflicts. AMC had issued an\nLMP User Access Policy. However, the policy did not have sufficient detail to ensure that UAM\nadministrators and user supervisors could effectively administer user access. The policy did not\nidentify a preferred method for assigning FSRs to users or define FSR combinations that could\ncreate segregation of duties or least privilege conflicts. UAM administrators and supervisors at\nthe two activities visited, assigned multiple FSRs to individuals that could result in conflicts.\n\nThe two activities did not perform consistent or effective account management, to include\nassigning at least one full-time UAM administrator to administer user access, developing\ncommon procedures and databases for administering the approval process, conducting regular\naccess reviews, and assessing inactive accounts for removal. Managers at all levels did not\nperform periodic reviews of LMP system access. As a result, Army managers have subjected\nLMP data to an increased vulnerability to unauthorized and fraudulent transactions. AMC has\nrecognized the need to strengthen system access controls. AMC plans to update procedures for\naccount management, segregating duties, and limiting access to the extent necessary to perform\nduties. However, Army managers still need to reassess the development of their FSR templates\nand map them to each of the BEA business processes to determine the controls needed to prevent\nconflicts that could result in potential fraud, waste, and abuse. They also need to improve system\naccess controls by reviewing and assessing the impact that regulatory requirements and risk\nassessment associated with assigning transaction screens have on the FSR templates developed.\nThey should ensure that the procedures developed are maintained and provide the UAM\nmanagers and administrators the information they require to administer system access correctly.\n\n                                               36\n\n\x0cOnce they redesign the FSRs templates, the ASA(FM&C) and AMC G-3 should perform a\none-time review of LMP access to identify and resolve segregation of duties and least privilege\nconflicts.\n\nRecommendations, Management Comments, and Our\nResponse\nB.1. We recommend that the Assistant Secretary of the Army (Financial Management and\nComptroller) develop a plan for the Army Materiel Command to improve system access\ncontrols within the Logistics Modernization Program system. Specifically:\n\n       a. Determine the impact of regulatory requirements, such as the Certifying\nOfficer\xe2\x80\x99s Legislation, on the development and issuance of the functional security role\ntemplates. Within 60 days of the report, identify and correct missing and deficient official\nappointment documentation before allowing access to the templates. Once identified,\nsupervisors and system administrators should ensure the proper appointment of users\nbefore granting access to the templates containing those functions.\n\nDepartment of the Army Comments\nThe ASA(FM&C) agreed and stated that she will direct Headquarters AMC and DFAS to\nperform a comprehensive review in March 2012 of LMP system controls. The review will cover\naccess controls, interface controls, process controls, configuration controls, and data integrity.\nThe purpose of the review will be to identify system access deficiencies and risk and provide an\napproach for addressing deficiencies. The ASA(FM&C) also stated that Army managers are in\nthe process of reviewing appointment documentation and additional requirements will be\nidentified in the plan of action and milestones.\n\nOur Response\nThe Army comments were partially responsive. The Army did not specifically address that the\nreview would identify regulatory requirements, such as the Certifying Officer\xe2\x80\x99s Legislation, on\nthe development and issuance of FSR templates. We request that the ASA(FM&C) reconsider\nher response to this recommendation and provide additional comments on the final report,\nexplaining how she will restrict system access until proper appointment documents are\ncompleted to ensure proper accountability over payment certification functions. The additional\ncomments should also identify a date for completing the review of appointment documentation\nand correcting missing and deficient documentation.\n\n       b. Perform a risk assessment of the Logistics Modernization Program system\ntransaction screens assigned within each of the functional security role templates and\nminimize the potential for segregation of duties conflicts. Once this assessment is\ncompleted, managers should redesign the templates to cover the specific job functions\nperformed at each activity and limit user access to only those transaction screens needed to\nperform those job functions.\n\n\n\n\n                                                37\n\n\x0cDepartment of the Army Comments\nThe ASA(FM&C) agreed and stated that she will direct Headquarters AMC and DFAS to\nperform a comprehensive review of LMP system controls. The review will cover a wide-range\nof controls and will include necessary risk assessments and other tools and techniques to assess\nand appropriately limit user access.\n\nOur Response\nThe Army comments were responsive.\n\n       c. Require the mapping of each functional security role template to the\nProcure-to-Pay business process to determine the existence of potential segregation of duty\nand least privilege conflicts. If conflicts exist, realign the transaction screens as necessary\nto prevent these conflicts.\n\nDepartment of the Army Comments\nThe ASA(FM&C) agreed and stated that the Army and Headquarters AMC will provide business\nrules for handling segregation of duty conflicts when updating the FSRs. The ASA(FM&C)\nstated that until Governance, Risk, and Compliance functionality is implemented, the Army will\ncontinue to use existing meetings and policy to minimize conflicts. In response to\nRecommendation B.2, the ASA(FM&C) stated that the Army plans to begin configuration of that\nfunctionality in February 2012, with a release date of December 2012. To minimize the risk of\nconflicts, FSRs will be reviewed and, if necessary, redesigned after Governance, Risk, and\nCompliance implementation.\n\nOur Response\nThe Army comments were responsive.\n\n       d. Update the Logistics Modernization Program User Access Policy and include\ndetailed procedures that prescribe:\n\n                  (1) How administrators and supervisors should assign functional security\nroles to users.\n\n              (2) How to manage user access to include the use of approval databases or\nanother tracking mechanism.\n\n              (3) How administrators should perform regular review of system access\naccounts suspended due to inactivity and work with supervisors to suspend or remove all\nroles when a user departs a work unit, leaves an activity installation, or loses a security\nclearance and obtain approval by the new supervisor of all access granted after\nreassignment.\n\n\n\n\n                                               38\n\n\x0cDepartment of the Army Comments\nThe ASA(FM&C) agreed and stated that the Headquarters AMC Chief Information Officer\nsigned an updated User Account Manager Policy on January 24, 2012. The ASA(FM&C) stated\nthat the new policy requires the review of all suspended and inactive accounts on an annual\nbasis. The ASA(FM&C) also stated that managers and supervisors receive training on the use of\nthe UAM system on a regular and ad hoc basis as system and personnel changes occur.\nAdditionally, she stated that policy updates will be made as a result of system access reviews. In\nresponse to Recommendation B.2, the ASA(FM&C) stated that the new policy addresses how\nmanagers and supervisors assigned FSRs.\n\nOur Response\nThe Army comments were generally responsive. Headquarters AMC provided us a copy of the\nupdated User Account Manager Policy. Although the ASA(FM&C) did not address how the\nArmy would manage user access, the updated policy identified how AMC would use a system\naccess tool to manage user access. No further comments are required.\n\n       e. Conduct an initial review of system access, at all levels, to identify users who have\nbeen granted unneeded access and, thereafter, conduct periodic reviews of system access.\n\nDepartment of the Army Comments\nThe ASA(FM&C) agreed and stated that the Army and Headquarters AMC will provide business\nrules for handling segregation of duty conflicts when updating FSRs. In response to\nRecommendation B.2, the ASA(FM&C) also stated that the Headquarters AMC Chief\nInformation Officer will instruct activities on how to conduct an annual UAM review during the\nthird quarter of FY 2012. She also stated that Headquarters AMC Chief Information Officer\npersonnel will conduct periodic reviews to ensure UAMs are not assigning themselves privileges\nand will take action for users violating their privileges.\n\nOur Response\nThe Army comments were responsive.\n\n       f. Develop a method to monitor the assignment of functional security roles at the\nhighest level and ensure that activities conduct the required periodic reviews.\n\nDepartment of the Army Comments\nThe ASA(FM&C) agreed and stated that she will direct Headquarters AMC and DFAS to\nperform a comprehensive review of LMP system controls. In response to Recommendation B.2,\nthe ASA(FM&C) stated that the updated User Account Manager Policy now addresses FSR\nassignments and the mitigation of segregation of duties conflicts.\n\nOur Response\nThe Army comments were responsive.\n\n\n\n                                                39\n\n\x0cB.2. We recommend that the Assistant Secretary of the Army (Financial Management and\nComptroller) work with the Army Materiel Command to:\n\n       a. Provide centralized training for administrators and supervisors on how to use\nfunctional security role templates to administer access and prevent conflicts.\n\n      b. Purchase the system software needed to assist in developing the system controls\nneeded to prevent or identify excessive or unauthorized access, or identify and develop\ncompatible system controls using other means.\n\n       c. Control administrator roles and prevent administrators from assigning\nfunctional security roles to themselves or develop appropriate compensating controls.\n\nDepartment of the Army Comments\nThe ASA(FM&C) agreed and stated that upon completing the system access review in\nRecommendation B.1, the Army will be in better position to identify training requirements,\ntarget audiences, and the right automated tool to handle provisioning of users and controlling\nsystem roles and permissions. Within 60 days of the review, Army and Headquarters AMC will\nreview current training requirements and adjust them accordingly. The ASA(FM&C) stated that\nthe updated AMC User Account Manager Policy addresses FSR assignments and the mitigation\nof segregation of duties conflicts, and additional corrective requirements will be addressed as\npart of the development of a plan of action and milestones. She also stated that the Army has\nplans to begin configuration of the Governance, Risk, and Compliance functionality in\nFebruary 2012, with an implementation date of December 2012. The functionality will\nproactively mitigate risk and provide the system controls needed to prevent or identify excessive\nor unauthorized access and segregation of duties conflicts. FSRs will be reviewed and, if\nnecessary, redesigned after Governance, Risk, and Compliance implementation to minimize risk.\nFinally, the ASA(FM&C) stated that the Headquarters AMC Chief Information Officer will\nconduct periodic reviews to ensure UAM administrators are not assigning themselves privileges\nand will take action for any users violating their privileges.\n\nOur Response\nThe Army comments were responsive.\n\n\n\n\n                                               40\n\n\x0cFinding C. Vendor Master Data Did Not Support\nthe Procure-to-Pay Process\nArmy Enterprise Systems Integration Program (AESIP) personnel did not determine the\nStandard Financial Information Structure (SFIS) attributes needed to establish records in a\nvendor master database and populate the correct domain values for Army ERP and other systems\nto process P2P transactions correctly. This occurred because the Army OBT and ASA(FM&C):\n\n     \xe2\x80\xa2\t did not direct the AESIP Program Management Office to function as the single source of\n        Army vendor master information or require AESIP personnel to develop, manage, and\n        maintain the Army\xe2\x80\x99s vendor master for use throughout the Army\xe2\x80\x99s ERP environment; and\n     \xe2\x80\xa2\t allowed Army ERP program managers to develop their own methodologies for deriving\n        vendor data. 15\n\nAs a result, Army ERP program managers have spent or intend to spend about $1.3 million to\ndevelop unique functionality to derive vendor information in their own systems, but did not\nresolve long standing material weaknesses related to accounts payable and intragovernmental\neliminations.\n\nVendor Master Information Requirements\nSFIS is the comprehensive \xe2\x80\x9ccommon business language\xe2\x80\x9d that supports DoD information and data\nrequirements for budgeting, financial accounting, cost and performance management, and\nexternal reporting across the enterprise. SFIS enables decision-makers to compare the cost of\nprograms and their associated activities and provides a basis for common valuation of DoD\nprograms, assets, and liabilities. The SFIS Transaction Library and accompanying SFIS matrix\nprovided DoD activities with the specific attributes, domain values, and business rules needed to\npopulate DoD accounting transactions correctly. The Glossary defines attributes, business rules,\nand domain values. The SFIS matrix, version 8.0, March 2011, contained the business rules and\nattributes required for implementing standard transactional domain values within DoD systems,\nincluding three attributes that identified business partner information. 16 The SFIS business rules\nrequired ERP systems to store and maintain the attributes and the domain values. A vendor\nmaster database uses internal unique identification codes to aggregate and build table data on\nwhich to base all functionality for ERP systems\xe2\x80\x99 master data management. Table 3 identifies the\nthree SFIS Trading Partner Information attributes and their valid domain values.\n\n\n15\n  Although this report addresses issues with the implementation of LMP, the solutions developed within AESIP also\naffect GFEBS use of the vendor master database. We identified similar issues with how GFEBS personnel\nrequested and used vendor master data. Reference to Army ERP program managers includes both the LMP project\nmanager and GFEBS program manager.\n16\n  DoD issued SFIS matrix version 7.0 in March 2010. It contained 72 attributes. SFIS matrix version 8.0 reduced\nthe number of attributes to 66. During this audit, we reviewed business rules for the business partner information in\nboth versions of the SFIS matrices and found no differences. Business partner information relates to commercial\nvendors and other trading partners.\n\n\n                                                         41\n\n\x0c         Table 3. SFIS Trading Partner Information Attributes and Domain Values\n          Attribute                            Domain Values Information\nKey            Name                      Values                   Description\n                                 F                    Other Federal entities\n       Federal/Non-Federal                            Non-Federal entities, such as\nTP1\n       Indicator                 N                    private business or local, state,\n                                                      tribal, and foreign governments\n                                                      Other Federal entity Department\n       Trading Partner\nTP2                              3-digit code         Regular Code as determined by\n       Indicator Code\n                                                      the Department of the Treasury\n                                 9-digit Data\n                                                      All business partners except DoD\n                                 Universal Numbering\n                                                      entities\n                                 System number\n       Business Partner\nTP3\n       Number                    \xe2\x80\x9cDOD\xe2\x80\x9d followed by a\n                                 6-digit DoD Activity DoD entities\n                                 Address Code\n\n\nDetermining Standard Financial Information Structure Domain Values\nand Business Partner Registration Status\nThe General Services Administration established the Business Partner Network (BPN) as the\nsingle source for obtaining business partner information. The network provided direct access to\nthe two databases the Government used to register its business partners: the Federal Agency\nRegistration (FedReg) and Central Contractor Registration (CCR).\n\nFederal Agency Registration Requirements\nTreasury Financial Manual Bulletin No. 2011-04, \xe2\x80\x9cIntragovernmental Business Rules,\xe2\x80\x9d\nNovember 8, 2010, requires Federal agencies that conduct business transactions with other\nFederal agencies to obtain and use a unique BPN number and register it in the FedReg. 17 Federal\nbusiness partners must access the FedReg at least annually to validate and update their BPN\ninformation.\n\nCentral Contractor Registration Requirements\nThe CCR is the primary registry for non-Federal business partners. The Federal Acquisition\nRegulation requires both current and potential business partners to register in CCR to do business\nwith DoD financial and acquisition activities. It requires registrants to enter all mandatory CCR\ninformation, including their Data Universal Numbering System number. It also required\nGovernment personnel to validate all mandatory fields, including a validation of the taxpayer\nidentification number, with the Internal Revenue Service, before activating the CCR record. To\nkeep their registrations active, registrants must renew and revalidate their registration annually\n\n\n17\n  Treasury Financial Manual Bulletin No. 2007-03, October 2006, established the BPN requirement. Treasury\nFinancial Manual Bulletin No. 2011-04 superseded the previous version.\n\n                                                     42\n\n\x0cand maintain an active status until the government makes all payments to them on outstanding\ncontracts. The CCR User Guide requires registrants to categorize their organization as Federal,\nstate, local, tribal, or foreign governmental entity, or a private business.\n\nDeveloping a Single Army Vendor Master\nIn November 2007, after the Army began ERP deployment, the Army identified the need to\ndevelop AESIP as the integration program and authoritative source for its master data. 18 The\nArmy spent or planned to spend $242.8 million to develop AESIP as its vendor master data\nmanager. However, AESIP personnel did not determine the SFIS attributes needed in a vendor\nmaster database to populate the correct domain values for Army ERP and other systems\n                                             performing P2P functions to process transactions\n  . . . AESIP personnel did not determine    correctly. This occurred because the Army OBT\n   the SFIS attributes needed in a vendor    and ASA(FM&C) did not direct the AESIP\n  master database to populate the correct    Program Management Office to function as the\n  domain values for Army ERP and other       single source of Army vendor master data\n    systems performing P2P functions to      information or require AESIP personnel to develop,\n        process transactions correctly.      manage, and maintain the Army\xe2\x80\x99s vendor master\n                                             for use throughout the Army\xe2\x80\x99s ERP environment.\nThe Army ERP Strategy reaffirmed the need for a vendor master database to maintain a single\nsource of Army business partner information. 19 Previously, Army ERP program managers\ndeveloped their own methodologies for establishing vendor tables for use within their respective\nsystem. These methodologies incorrectly established the three required SFIS attributes related to\nbusiness partner information, which prevented them from accurately identifying business\npartners and properly recording Federal and non-Federal business transactions.\n\nEstablishing Business Partner Records Using the Business Partner\nNetwork Number\nAlthough the Army designed AESIP to provide and sustain the hub services capability needed to\nfacilitate ERP integration, AESIP personnel had not assumed the responsibility needed to\nbecome the single authoritative source of trading partner information as contained in its mission\nstatement. In addition, they did not develop the vendor master using the SFIS Trading Partner\nInformation attributes and domain values for establishing business partner records. Therefore,\nAESIP personnel did not establish the business partner number (TP3) domain values as the\nprimary data field for establishing business partner records in the vendor master data. Instead,\n\n\n18\n  Army managers originally established AESIP as Product Lifecycle Management Plus in FY 2004, and renamed it\nto AESIP in FY 2008. In November 2007, the Product Lifecycle Management Plus implemented a Customer and\nVendor Master data capability. In 2007 and 2008, the Army logistics community accomplished a three-phased ERP\nIntegration Analysis Study, which evaluated the best way to execute and integrate GFEBS, LMP, and Product\nLifecycle Management Plus. The study recommended a Federated ERP integration approach to leverage Product\nLifecycle Management Plus for Business Intelligence, Business Warehousing, and Master Data Management.\n19\n  The Army ERP Strategy defined the Army ERP environment as containing four ERP systems: LMP, GFEBS,\nGlobal Combat Support System-Army, and Integrated Personnel and Pay System-Army. The Army ERP Strategy\nused AESIP to integrate the business processes and data needed to accomplish business events within the Army ERP\nsystems.\n\n                                                      43\n\n\x0cAESIP personnel used a legacy process that established the records using a business partner\xe2\x80\x99s\nCommercial and Government Entity (CAGE) code or Routing Identifier Code. AESIP needed to\nuse the BPN to obtain its business partner information and cease obtaining vendor registration\ninformation from other sources.\n\nThe Government developed the BPN databases (FedReg and CCR) to serve as the single source\nfor Government business partner information. The SFIS TP3 attribute was to provide a unique\nidentification for each business partner. DoD originally used databases for CAGE codes or\nRouting Identifier Codes to uniquely identify business partners and provide similar information.\nIn November 2007, AESIP personnel began receiving domain values from the BPN databases.\nHowever, AESIP personnel continued to use the CAGE code or Routing Identifier Code to\nestablish the individual business partner record in the vendor master instead of establishing\nvendor master records using the BPN number provided by the databases as required by SFIS. If\nthey had established the vendor master using the BPN number, they could have then obtained\nany additional information needed from such sources as the CAGE code or Routing Identifier\nCode databases using the TP3 domain value. 20 If not registered in FedReg, AESIP personnel\nshould have required the business partner to register before establishing a vendor master record\nfor that business partner.\n\nDespite having received the required TP3 domain values from the FedReg and CCR databases,\n                                              the AESIP program manager did not establish a\n    Based on the information received by      BPN number field in the vendor master structure to\n   BPN number from the BPN databases,         use as the primary field needed to establish each\n    the AESIP program managers should         vendor master record. Based on the information\n       also have been able to record an       received by BPN number from the BPN databases,\n    appropriate Federal and Non-Federal       the AESIP program managers should also have\n    Indicator (TP1) and Trading Partner       been able to record an appropriate Federal and\n   Indicator Code (TP2) domain value for      Non-Federal Indicator (TP1) and Trading Partner\n     each business partner established in     Indicator Code (TP2) domain value for each\n     the Army\xe2\x80\x99s vendor master database.       business partner established in the Army\xe2\x80\x99s vendor\nmaster database. Appendix H describes how the Army should develop a vendor master database\nusing the three SFIS business partner attributes. Table H-1 provides the SFIS attribute data,\nrequired source data, and AESIP data field requirements. To ensure that Army ERP systems,\nand other systems performing P2P functions, provide the required SFIS business partner\nattributes information, the AESIP program manager should develop the AESIP data fields\nidentified in Table H-1 within the Army vendor master database to record the three required\nSFIS attributes. AESIP personnel should create all business partner records from information\ncontained in the Federal Agency Registration and Central Contractor Registration. AESIP\nshould establish individual business partner records using the BPN number and create data files\nto populate the applicable SFIS attributes. Since the BPN has become the single source of\nbusiness partner information, DCMO should work with the Under Secretary of Defense\n(Comptroller) to reevaluate the use of legacy registration processes such as the CAGE code and\n\n\n20\n  AESIP needs to be able to create records for business partners not required to register in one of the BPN databases\nusing a unique 9-digit Data Universal Numbering System number.\n\n                                                         44\n\n\x0cRouting Identifier Code databases for tracking business partner information and determine\nwhether DoD can eliminate these databases by merging them with the BPN databases. Army\nOBT and ASA(FM&C) should require each Routing Identifier Code location to register in\nFedReg before allowing AESIP to create a business partner record in the Army vendor master or\naccepting any supplemental business partner information from that location.\n\nArmy Enterprise Systems Integration Program Needed to Provide\nMore Effective Data Management\nThe Army ERP Strategy reaffirmed AESIP as the single source of authoritative data for\ndeveloping a common vendor master database for use by all Army systems. However, in the\n                                          Army ERP Strategy, Army OBT did not require the\n  The AESIP program manager did not AESIP program manager to assume the authority for\n  develop the vendor master data using master data and direct the use of the data by all Army\n  the BPN number that would allow for systems. The AESIP program manager did not\n     the capture of SFIS attributes for   develop the vendor master data using the BPN\n   vendors and pass the information to    number that would allow for the capture of SFIS\n           systems such as LMP.           attributes for vendors and pass information to systems\n                                          such as LMP. AESIP personnel simply passed\nvendor information from CCR to LMP and did not assume the authoritative control over that\ninformation. AESIP personnel stated that the LMP Project Office was responsible for requesting\nthe appropriate AESIP business partner information.\n\nAESIP personnel provided the LMP Project Office with a listing of the AESIP vendor master\ndata fields. LMP personnel determined the fields needed and provided the system mapping\nrequirements and commercial software layout structure of the targeted fields to AESIP\npersonnel. The AESIP personnel mapped the data fields as the LMP personnel requested and\nprovided the vendor information to the system. However, the methodology designed by LMP\npersonnel was flawed. Specifically, the LMP personnel did not request the proper data from\nAESIP to record the SFIS Federal/Non-Federal Indicator attribute (TP1).\n\nIncorrect Derivation of Federal/Non-Federal Indicator\nOur review of the 2.3 million LMP vendor records that existed as January 4, 2011, showed that\nLMP incorrectly classified Federal and non-Federal business partners. This occurred because the\nLMP personnel derived the TP1 domain values for business partners using an incorrect\nmethodology. The methodology used derived the TP1 domain value based on whether the\nbusiness partner information received by LMP contained a DoD Address Activity Code\n(DoDAAC) number. If the information contained a DoDAAC number, the methodology\nclassified that business partner with a domain value of \xe2\x80\x9cF\xe2\x80\x9d and recorded the transaction in the\nsubsidiary ledger supporting Federal Accounts Payable (GLAC 2110.9100). Otherwise, the\nmethodology classified the business partner with a domain value of \xe2\x80\x9cN\xe2\x80\x9d and recorded the\ntransaction in the subsidiary ledger supporting non-Federal accounts payable (GLAC\n2110.9200). This methodology was incorrect because LMP personnel based the determination of\nTP1 domain values on whether an activity had a DoDAAC number, rather than on the\ninformation contained in the FedReg and CCR. The misclassified portion of the LMP Federal\nand non-Federal business partners caused LMP to record all P2P transactions conducted with\n\n\n                                              45\n\n\x0cthose business partners incorrectly. For example, LMP recorded a non-Federal contractor as\nFederal because DoD had issued that contractor a DoDAAC number. Therefore, AWCF\nmanagers could not rely on the LMP information related to Accounts Payable and other related\ngeneral ledger accounts to manage their activities with business partners and make\nintragovernmental eliminations.\n\nIncorrect Use of Defaulted Trading Partner Indicator Domain Values\nLMP Project Office personnel did not request the proper data field from FedReg for the Trading\n                                        Partner Indicator Code attribute (TP2). Army managers\n     Army managers should have\n                                        should have directed the Army ERP program managers to\n   directed the Army ERP program\n                                        request the Department Code of each Federal entity from\n       managers to request the\n                                        FedReg. Instead, LMP Project Office personnel created\n  Department Code of each Federal\n                                        their own methodologies to derive the information and\n         entity from FedReg.\n                                        did not derive accurate TP2 domain values. The LMP\nmethodology incorrectly recorded a TP2 domain value of \xe2\x80\x9c99\xe2\x80\x9d for all business partners recorded\nin the subsidiary ledger supporting Federal Accounts Payable. This methodology caused the\nmisclassification of all LMP transactions with these business partners because \xe2\x80\x9c99\xe2\x80\x9d did not\nrepresent the actual TP2 domain values for the business partners. 21 Problems in obtaining\naccurate TP2 domain values have prevented the Army from resolving its material weakness\nrelated to intragovernmental eliminations.\n\nLogistics Modernization Program System Did Not Use Trading\nPartner 3 Attribute Correctly\nArmy managers did not require the LMP Project Office to use the TP3 attribute as the primary\ndata field to establish, populate, and maintain the vendor master and the domain values as each\nbusiness partner\xe2\x80\x99s unique identifier. This occurred because Army managers believed that\nsystems, such as LMP, were exempted from this requirement. However, BTA verified that the\nArmy must use the TP3 domain values for unique identification of its business partners. Because\nLMP did not maintain TP3 domain values, it could not identify its business partner information\nas required by SFIS.\n\nBusiness Program Number Registration Status Controls Disabled\nLMP did not identify inactive business partners. LMP Project Office personnel stated that LMP\nhad the capability to track the status of the CCR active records; however, they had turned off the\nCCR registration status controls in LMP because inaccurate information prevented them from\nmaking payments to business partners. By not using the CCR registration status controls, the\nLMP Project Office circumvented the system\xe2\x80\x99s control to prevent inactive business partners from\nreceiving new contracts or additional payments.\n\n\n\n\n21\n     Trading Partner Indicator Code \xe2\x80\x9c99\xe2\x80\x9d did not represent a valid Department Regular Code.\n\n                                                         46\n\n\x0cDeveloping Vendor Master Data with Standard Financial Information\nStructure Attributes\nTo provide effective data management over the vendor master data process, the AESIP Program\nManagement Office needs to assert its authority and create the vendor master data fields to\nestablish unique business partner records based on the three SFIS trading partner information\nattributes obtained or derived from the BPN. As a data manager, AESIP needs to become the\nsingle-source for creating, updating, and deleting Army business partner records. Having a\nsingle source of Army vendor master data would control the vendor master data outside of the\nindividual ERPs and add the appropriate internal control environment over the vendor master\ninformation used throughout the Army. The Army OBT and ASA(FM&C) should issue a policy\nappointing the AESIP program manager as the Army\xe2\x80\x99s vendor master data manager and require\nall systems doing business with the Army to use AESIP vendor master data. They should direct\nthe AESIP program manager to issue instructions on the administration and use of Army vendor\nmaster data and ensure AESIP personnel validate the integrity of the business partner\ninformation. The ASA(FM&C) should also validate that LMP has controls in place to reject new\ncontracts or payment requests from business partners with inactive registration flags.\n\nArmy Expended Funds to Develop Multiple Vendor Tables\nThe Army allowed Army ERP program managers to develop separate methodologies to derive\ntheir own vendor information. As of April 30, 2011, Army ERP program managers spent or\n                                          planned to spend about $1.3 million to derive unique\n      As of April 30, 2011, the ERP       vendor master tables. 22 They used a portion of those\n       program managers spent or          funds to correct vendor information in the system.\n         planned to spend about           However, these efforts did not provide the SFIS trading\n      $1.3 million to derive unique       partner information necessary to help resolve the\n          vendor master tables.           Army\xe2\x80\x99s material weaknesses related to its accounts\npayable and intragovernmental eliminations. The LMP Project Office also created a process for\ncreating one-time vendors in LMP without establishing compensating controls over that process.\nIn addition, by not restricting the development of all business partner information to AESIP,\nArmy managers have created significant internal control problems relating to the information\nwithin LMP. For example, the LMP Project Office created FSRs within LMP to create, update,\nand manage the vendor master table. As of March 2011, LMP activities had assigned FSRs to at\nleast 133 LMP users that allowed them to edit or update vendor information to resolve\ncontracting or payment problems. As the master data manager, only AESIP personnel should be\nable to create and manage vendor master data. Army ERP users should only have access to view\nvendor master data. Using a single Army-wide vendor master helps to provide the necessary\ninternal control over the integrity and use of the vendor information. Army OBT and\nASA(FM&C) should direct the Army ERP programs to cease developing system change requests\nto correct vendor master data within the individual ERP systems. The Army OBT and\nASA(FM&C) should direct ERP managers to discontinue creating and using FSRs that allow\nusers to create or update vendor master records and restrict that functionality solely to AESIP.\n\n\n22\n  This includes about $0.3 million that the GFEBS program manager intended to expend to develop vendor data\nwithin that system.\n\n                                                      47\n\n\x0cDeveloping a Way Forward\nBased on our audit, the AESIP Program Manager took immediate actions to develop a temporary\nsolution to provide TP1, TP2, and TP3 information to LMP until the Army develops a vendor\nmaster that fully complies with SFIS requirements. AESIP personnel stated that the General\nServices Administration would be consolidating eight of the Federal Procurement Systems and\nthe Catalog of Federal Domestic Assistance databases, including CCR and FedReg, into the\nGeneral Services Administration\xe2\x80\x99s System for Award Management database in May 2012. This\nconsolidation effort will result in the development of a common vendor master within the\n                                          Federal government and eliminate redundancies now\n    The concept of developing an          contained in the FedReg and CCR databases. The new\n    integration program, such as          database will include data fields for the Trading Partner\n  AESIP, provides the Army a good         Indicator Codes and BPN Number that the AESIP vendor\n  control over the master data used       master can use to derive and populate a TP1 value. The\n       in its ERP environment.            concept of developing an integration program, such as\nAESIP, provides the Army a good control over the master data used in its ERP environment.\nThe control of master data ensures the integrity of that data throughout the environment.\n\nBased on the General Services Administration\xe2\x80\x99s impending consolidation effort, the AESIP\nProgram Manager should develop the vendor master based on the data structure intended for the\nSystem for Award Management database. The AESIP program manager should also establish\ndata fields to populate the TP2 and TP3 domain values from the new database and derive and\npopulate a TP1 domain value for each record based on these two domain values. The master\nvendor database should use the TP3 domain values as the key data field for controlling vendor\nrecords instead of the current CAGE code.\n\nConclusion\nThe Army had not developed the vendor master data needed to support the P2P business process.\nInstead, the Army managers allowed the LMP program manager to spend or plan to spend\n$1.3 million to create vendor tables. Although AESIP serves as the system integration program\nto provide common master vendor data for the Army ERP environment, it has not yet become\nthe single source of authoritative reference data the Army needed to correctly establish and\nmaintain business partner information. The efforts of the AESIP Program Management Office\nand the LMP program manager have not produced the vendor master data needed to eliminate\nthe material weaknesses within the Army\xe2\x80\x99s P2P business process related to accounts payable and\nintragovernmental eliminations.\n\nWhen transitioning to its ERP environment, Army OBT and ASA(FM&C) should have directed\nthe AESIP program manager to develop common vendor master data that included the SFIS\nattributes needed to identify business partners for the P2P business process. This would have\nenabled the Army ERP systems to accurately classify, record, and report their Federal and non-\nFederal transactions. The Army OBT and ASA(FM&C) need to provide the AESIP program\nmanager with the authority to function as the vendor master data manager and require AESIP to\nestablish, maintain, and provide the correct business partner information to the Army ERP\nenvironment.\n\n\n\n                                                48\n\n\x0cConsidering that the System for Award Management database is scheduled to be available in\n                                      May 2012, the AESIP should develop the ability to\n  Considering that the System for\n                                      receive vendor master data from this new database.\n  Award Management database is\n\n    scheduled to be available in \n\n                                      The Army OBT should ensure that the Army ERP\n   May 2012, the AESIP should\n                                      systems have controls in place to prevent modifications\n   develop the ability to receive\n                                      of the AESIP vendor master data and the issuance of\n vendor master data from this new\n                                      contracts and payments to business partners with inactive\n             database.                business partner registrations. To provide authoritative\nguidance to Army ERP program managers using vendor master data, the AESIP program\nmanager must have visibility of the vendor master data source information to ensure AESIP is\nreceiving all business partner information needed by the Army. In addition, the ASA(FM&C)\nshould ensure that Army ERP program managers receive and use the vendor information in\naccordance with SFIS trading partner information requirements.\n\nRecommendations, Management Comments, and Our\nResponse\nC.1. We recommend that the Deputy Chief Management Officer work with the Under\nSecretary of Defense (Comptroller) to review the use of legacy registration processes, such\nas Commercial and Government Entity Codes and Routing Identifier Codes, to determine\nwhether DoD can eliminate the databases by incorporating them into the new System for\nAward Management database.\n\nDCMO Comments\nThe DCMO agreed and stated that her office will work with the Under Secretary of Defense\n(Comptroller) and Defense Procurement Acquisition Policy to investigate the legacy vendor data\nregistry process to determine whether DoD can eliminate the databases by incorporating them\ninto the new System for Award Management database.\n\nOur Response\nThe DCMO comments were responsive.\n\nC.2. We recommend that the Director, Army Office of Business Transformation and\nAssistant Secretary of the Army (Financial Management and Comptroller) direct in policy\nthat the:\n\n      a. Army Enterprise Systems Integration Program Manager serves as the vendor\nmaster data manager with the authority and personnel to:\n\n             (1) Require all systems doing business with the Army to use only the vendor\nmaster to populate business partner information.\n\n              (2) Prevent Army Enterprise Resource Planning system users from creating,\nmodifying, or deleting vendor information and only allow for view access to master data by\nother system users.\n\n                                              49\n\n\x0c             (3) Validate the integrity of the business partner information contained in\nthe vendor master records.\n\n             (4) Create all business partner records from information contained in the\nFederal Agency Registration and Central Contractor Registration until the System for\nAward Management Database comes on line.\n\n             (5) Establish individual business partner records using the Business Partner\nNetwork number and create data files to populate the applicable Standard Financial\nInformation Structure attributes.\n\n               (6) Issue instructions on the administration and use of Army vendor\ninformation.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that the Army Business\nSystem Information Technology Strategy states that AESIP synchronizes and syndicates select\nenterprise master data applicable to each Army ERP system. The ASA(FM&C) also stated that\nthe Army will continue to leverage its business system information technology strategy and\ngovernance procedures to implement additional improvements as updates and opportunities avail\nthemselves. The Army Business System Information Technology Strategy, as a living\ndocument, serves as the Army\xe2\x80\x99s foundation and roadmap for executing the Army enterprise\narchitecture and will evolve in response to changes. Consequently, AMC and ASA(FM&C)\npersonnel will work with OBT personnel to reevaluate and adjust as necessary the functions of\nthe AESIP program manager and his role as the vendor master data manager.\n\nOur Response\nThe ASA(FM&C) comments were partially responsive. The ASA(FM&C) stated that AMC and\nASA(FM&C) personnel will work with OBT personnel to reevaluate and adjust as necessary the\nfunctions of the AESIP program manager and his role as the vendor master data manager.\nHowever, she did not identify how the AESIP program manager will implement the six sub\nelements of the recommendation. We request that the ASA(FM&C) and Director, Army OBT,\nreevaluate their response to this recommendation and provide additional comments on the final\nreport, detailing how they plan to provide the AESIP program manager with the authority and\npersonnel to take the recommended actions.\n\n      b. Army and non-Army Routing Identifier Code locations register within the\nFederal Agency Registration database before creating a business partner record in the\nArmy vendor master record for doing business transactions with the Army or accepting\nany supplemental business partner information from those locations.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed.\n\n\n\n                                             50\n\n\x0cOur Response\nThe Army comments were nonresponsive. The Army comments did not specifically address the\npolicy needed to ensure that Army and non-Army Routing Identifier Code locations register\nwithin Federal Agency Registration database before creating a Army vendor master record for\ndoing business transactions with the Army or accepting any supplemental business partner\ninformation from those locations. We request the Director, Army OBT and the ASA(FM&C)\nreconsider their response to this recommendation and provide additional comments on the final\nreport, detailing how they enforce require the Army Routing Identifier Code locations to register\nin the Federal Agency Registration or System for Award Management database before\nestablishing a vendor record in AESIP.\n\n       c. Army Enterprise Resource Planning Project Offices:\n\n             (1) remove functional security roles capable of adding, revising, or deleting\nvender information; and\n\n               (2) cease developing change requests for correcting of vendor master data.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed.\n\nOur Response\nThe Army comments were nonresponsive. The ASA(FM&C) did not specifically address the\nplan to direct the Army ERP Project Offices to remove FSRs capable of adding, revising, or\ndeleting vendor information from the ERP systems and cease developing change requests for\ncorrecting vendor master data outside the AESIP environment. The ASA(FM&C) needs to\naddress how the Army plans to limit the responsibility of Army ERP Project Offices in managing\nthe master vendor data. We request that the Director, Army OBT, and the ASA(FM&C)\nreconsider their response to this recommendation and provide additional comments on the final\nreport, detailing how the Army will limit the ability of Army ERP Project Offices from changing\nvendor master data and ensure that only the AESIP program manager has the authority, access,\nand funding needed to update vendor information.\n\nC.3. We recommend that the Army Enterprise Systems Integration Program Manager\ncreate and manage a vendor master based on the System for Award Management database\nthat can:\n\n       a. Populate required vendor-related Standard Financial Information Structure\nattributes with valid domain values.\n\n       b. Establish the Business Partner Network number as the key data field for all\nbusiness partner records and use that data field when receiving and sending information to\nArmy and other systems.\n\n\n\n\n                                               51\n\n\x0c      c. Identify and track the business partner registration status in the Central\nContractor Registration and Federal Agency Registration databases and System for Award\nManagement database once implemented.\n\n      d. Obtain all vendor information needed by Army Enterprise Resource Planning\nsystems and supporting systems.\n\nDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that the AESIP program\nmanager will work with the stakeholders to implement this recommendation. Actions taken will\nrequire policy, system, and process changes, and validation of Army vendor data to ensure that\nthe Army vendor master is in accord with System for Award Management vendor data.\n\nWith the respect to System for Award Management, the ASA(FM&C) stated that according to\nthe latest data element listing from the General Services Administration, the term Business\nPartner Number will not be used. Commercial and non-government entities will register with\ntheir Data Universal Numbering System number and it will be stored in the Data Universal\nNumbering System number field. DoD agencies will register their DODAAC and it will be\nstored in the DODAAC field. She stated that the AESIP vendor master will be enhanced to be in\nline with the new data and that Army managers will work with LMP on the best and most cost\neffective approach to have their system support the new design. The ASA(FM&C) stated that\nthe Army had completed actions related to Recommendation C.3.c. AESIP currently receives\nthe registration status and passes this information to the Army ERPs and will continue to receive\nand provide this information with the migration to System for Award Management. The\nASA(FM&C) also stated that performing all derivations in AESIP, syndicating the results to\nother systems, and prohibiting changes anywhere except in AESIP is the desired goal. However,\na cost-benefit analysis will be required to determine if this yields a tangible return on investment.\n\nOur Response\nThe Army comments were responsive. Although the new System for Award Management may\nnot use the term Business Partner Number, the Data Universal Numbering System number and\nDoDAAC contain the exact data that the Army will require to correctly establish the SFIS\nbusiness partner number (TP3) domain values. Therefore, the AESIP Program Management\nOffice must ensure that it develops a methodology to populate the SFIS TP3 values using both\nthe Data Universal Numbering System number and DoDAAC and use the TP3 element as the\nprimary key for establishing records in the AESIP vendor tables.\n\nC.4. We recommend that the Assistant Secretary of the Army (Financial Management and\nComptroller) validate that the Logistics Modernization Program system has controls in\nplace to reject new contracts and payment requests from business partners with inactive\nvendor registration flags.\n\n\n\n\n                                                 52\n\n\x0cDepartment of the Army Comments\nThe ASA(FM&C), responding on behalf of the Army, agreed and stated that the Army will\nvalidate transactional data as part of internal control assessment. The test will include a\nvalidation of business partner data in LMP compared to the data in AESIP. This validation will\noccur after the Army has implemented System for Award Management, but not later than\nSeptember 30, 2012.\n\nOur Response\nThe Army comments were responsive.\n\n\n\n\n                                              53\n\n\x0cAppendix A. Scope and Methodology\nWe conducted this performance audit from August 2010 through January 2012 in accordance\nwith generally accepted government auditing standards. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nDuring this audit, we received detailed briefings from the BTA on the P2P business process\navailable within commercial software and from the LMP Project Office on how Army managers\nhad implemented the software to conduct and report Army business events. We conducted site\nvisits to the LCMC, the Depot, and DFAS Columbus to understand how each activity used LMP\nto perform the P2P business process and control system access. We also held detailed\ndiscussions with personnel from the offices of the USD(C); ASA(FM&C); AESIP PM; and\nAMC G3/5, G6, and G8; as well as within the Army OBT and DFAS.\n\nWe obtained documentation to support Army\xe2\x80\x99s implementation of the P2P business process and\ninitiatives to address abnormal accounts payable balances, local vendor pay, and prevalidation.\nWe obtained a database of the 2.3 million business partners in the LMP vendor table as of\nJanuary 4, 2011, and assessed anomalies in the database. We also obtained the LMP\ndisbursement file for \xe2\x80\x9cDelivered Orders - Obligations Paid,\xe2\x80\x9d (GLAC 4902) for November 2010\nand reconciled it to the amounts reported on the monthly unadjusted trial balances for AWCF\nactivities using LMP. We sorted the 83,894 transactions in the file to identify those transactions\nwith a commitment number that would have affected the P2P business process. This left us with\na population of 57,330 transactions. We provided the adjusted file to the statisticians in the\nQuantitative Methods and Analysis Division, DoD Office of Inspector General. After removing\nthe transactions under one thousand dollars and stratifying the remaining transactions into four\nstrata, the statisticians selected a stratified random attribute sample of 120 transactions. For each\nof the 120 transactions, we reviewed documentation to assess the propriety of the transaction and\nthe validity of the LMP audit trail.\n\nWe analyzed the unadjusted trial balances reported by LMP activities for the fiscal years ended\nSeptember 2008, 2009, and 2010 and for the first six months of FY 2011. We assessed the\nnumber and dollar values of abnormal balances reported in 2 proprietary and 12 budgetary\ngeneral ledger accounts supporting the P2P business process. We also assessed the abnormal\naccount balances within GLAC 4450, GLAC 4610, and GLAC 4700, supporting the AWCF\xe2\x80\x99s\nunobligated balance as of September 30, 2010, and the first 3 months and August of FY 2011.\n\nWe used statistical sampling and other analytical procedures to assess how UAM administrators\nand LMP user\xe2\x80\x99s supervisors at the LCMC and the Depot controlled system access and assigned\nFSRs to users. We obtained the LMP system access assigned to all personnel in the LCMC and\nthe Depot as of October and November 2010 and assessed whether the issuance of user access\nmet the NIST requirements for account management, segregation of duties, and least privilege\naccess. We queried individuals having LMP access using a survey we developed. See\nAppendix G for details on sample methodology and results.\n\n\n                                                 54\n\n\x0cUse of Computer-Processed Data\nTo perform this audit, we obtained data from LMP. We determined data reliability by reviewing\nselected P2P business transactions and the support for them. We reviewed the month-end LMP\ntrial balances from September 2010 through March 2011 and August 2011. We determined the\npropriety of the balances reported by LMP activities for the GLACs supporting the P2P business\nprocess through reviews of the posting logic for the underlying business events. In the accounts\nreviewed, several LMP activities reported abnormal balances and differences existed between\nassociated proprietary and budgetary general ledger accounts. We also obtained an LMP\ndisbursement file (GLAC 4902) for November 2010, and we were able to validate the balance to\nthe November 2010 LMP trial balances reported by the LMP activities. We reviewed\ndisbursement vouchers and supporting documentation for 96 of 120 sampled transactions. Our\nreview of the documentation showed that LMP did not always accurately record data related to\nthe P2P process. We relied on the source documents to provide us with the actual dates,\ndocument numbers, and amounts that LMP activities should have recorded in LMP. LMP\nposting logic problems caused abnormal balances and the incomplete and inaccurate posting of\nbusiness events adversely affected the reliability of the LMP reported data.\n\nWe also reviewed the 2.3 million vendor records in LMP as of January 4, 2011, and user access\ndatabases for the two LMP activities we visited. Through our review of information associated\nwith the vendor records and FSRs assigned to users, we determined that the LMP vendor records\ndid not accurately classify business partners but LMP accurately reflected user access privileges.\nHowever, LMP system access assigned to users did not always reflect the access that UAM\nadministrators and user\xe2\x80\x99s supervisors believed users possessed. Our assessment indicated that\nthe LMP data were sufficient for reaching audit conclusions. However, the findings in the report\naddress the computer-processed data weaknesses found and the needed corrective actions.\n\nUse of Technical Assistance\nThe Quantitative Methods and Analysis Division provided technical assistance throughout the\nsample selection and evaluation process. The Quantitative Methods and Analysis Division\nprovided a stratified sample of disbursements made by LMP in November 2010 and a statistical\nsample of LMP user access at the Depot as of November 1, 2010. See Appendix G for the\nstatistical sampling methodology.\n\n\n\n\n                                                55\n\n\x0cAppendix B. Prior Coverage\nDuring the last five years, the GAO, DoD IG, and the U.S. Army Audit Agency have issued\n10 reports discussing LMP functionality. Unrestricted GAO reports can be accessed over the\nInternet at http://www.gao.gov. Unrestricted DoD IG reports can be accessed at\nhttp://www.dodig.mil/audit/reports. Unrestricted U.S. Army Audit Agency reports can be\naccessed from .mil and gao.gov domains over the Internet at https://www.aaa.army.mil/.\n\nGAO\nGAO Report No. 11-53, \xe2\x80\x9cDefense Logistics: Improved Management Oversight of Business\nSystems Modernization Efforts Needed,\xe2\x80\x9d October 7, 2010\n\nGAO Report No. 10-461, \xe2\x80\x9cDefense Logistics: Actions Needed to Improve Implementation of\nthe Army Logistics Modernization Program,\xe2\x80\x9d April 30, 2010\n\nGAO Report No. 09-852R, \xe2\x80\x9cDefense Logistics: Observations on Army\xe2\x80\x99s Implementation of the\nLogistics Modernization Program,\xe2\x80\x9d July 8, 2009\n\nGAO Report No. 07-860, \xe2\x80\x9cDoD Business Transformation: Lack of an Integrated Strategy Puts\nthe Army\'s Asset Visibility System Investments at Risk,\xe2\x80\x9d July 27, 2007\n\nDoD IG\nDoD IG Report No. D-2011-15, \xe2\x80\x9cInsufficient Governance Over Logistics Modernization\nProgram System Development,\xe2\x80\x9d November 2, 2010\n\nDoD IG Report No. D-2009-87, \xe2\x80\x9cControls Over Contract Obligation Data in the Logistics\nModernization Program,\xe2\x80\x9d June 15, 2009\n\nDoD IG Report No. D-2007-065, \xe2\x80\x9cControls Over the Prevalidation of DOD Commercial\nPayments,\xe2\x80\x9d March 2, 2007\n\nArmy\nU.S. Army Audit Agency Report No. A-2007-0205-FFM, \xe2\x80\x9cLogistics Modernization Program\nSystem Federal Financial Management Improvement Act of 1996 Compliance\xe2\x80\x93First Deployment\nFunctionality,\xe2\x80\x9d September 7, 2007\n\nU.S. Army Audit Agency Report No. A-2007-0163-FFM, \xe2\x80\x9cFY 03\xe2\x80\x93FY 05 Obligations Recorded\nin the Logistics Modernization Program,\xe2\x80\x9d July 27, 2007\n\nU.S. Army Audit Agency Report No. A-2007-0154-ALR, \xe2\x80\x9cFollow up Audit of Aged Accounts\xe2\x80\x93\nU.S. Army Communications-Electronics Life Cycle Management Command,\xe2\x80\x9d July 2, 2007\n\n\n\n\n                                             56\n\n\x0cAppendix C. Description of Technical\nRequirements and Standards\nThis appendix describes the National Institute of Standards and Technology (NIST) standards\nreviewed, the five standards of internal control, the three material weaknesses related to the LMP\nP2P business process, and the Statement of Federal Financial Accounting Standard related to\nAccounts Payable.\n\nNIST Standards\n   \xe2\x80\xa2\t Account Management requires entities to establish account management controls. An\n      entity should have the ability to: identify authorized system users and specify user access\n      privileges; require appropriate approvals for establishing accounts; establish, activate,\n      modify, disable, and remove accounts; notify account managers when users are\n      terminated or transferred; deactivate accounts of terminated or transferred users; grant\n      access to the system based on a valid access authorization, the intended system usage,\n      and other attributes as required by the organization or associated missions/business\n      functions; and review accounts in accordance with the organizationally defined\n      frequency.\n\n   \xe2\x80\xa2\t Separation of Duties requires management to segregate system access so that more than\n      one person is required to complete an end-to-end process using assigned access\n      authorizations. Segregation of duties helps prevent and detect user errors and mitigate\n      the potential for fraud and misuse of assets. The GAO internal control standards refer to\n      this as segregation of duties. Within the report, we refer to this as segregation of duties.\n\n   \xe2\x80\xa2\t Least Privilege requires system managers to assign user authority in such a manner so\n      that only the information and resources necessary for legitimate purposes can be\n      accessed. Least privilege requires that activities assign user access based upon the\n      minimum access that a user requires when performing the tasks assigned by business\n      function and organization.\n\nStandards of Internal Control\n\n   \xe2\x80\xa2\t Control Activities are the policies, procedures, and mechanisms in place to meet agency\n      objectives, including proper segregation of duties, physical controls over assets, proper\n      authorization, and appropriate documentation. Entities should also design application\n      controls to ensure that the ERP systems can authorize and process transactions\n      accurately.\n\n   \xe2\x80\xa2\t Control Environment includes the organizational structure and culture to sustain\n      organizational support for effective internal control. Management must clearly\n      demonstrate its commitment to competence in the workplace when designing, evaluating,\n      or modifying the organizational structure. Management must clearly define areas of\n      authority and responsibility and appropriately delegate the authority and responsibility\n      throughout the agency. Management must also establish a suitable hierarchy for\n\n                                               57\n\n\x0c       reporting and uphold the need for personnel to possess and maintain the proper\n       knowledge and skills to perform their assigned duties as well as understand the\n       importance of maintaining effective internal control within the organization.\n       Management\xe2\x80\x99s philosophy for establishing and maintaining effective internal control\n       should aid in the successful implementation of internal control systems.\n\n   \xe2\x80\xa2\t Information and Communications requires management to communicate relevant,\n      reliable, and timely information to personnel at all organization levels. It is also crucial\n      that an agency communicate with outside organizations whether providing information or\n      receiving it. Situations requiring effective communications of information include\n      receiving updated guidance from central oversight agencies, management communicating\n      requirements to the operational staff, and operational staff communicating with the\n      information systems staff to modify application software to extract data requested in the\n      guidance.\n\n   \xe2\x80\xa2\t Monitoring requires management to scrutinize the effectiveness of internal control in the\n      normal course of business, including thorough periodic reviews and reconciliations or\n      comparisons of data. Management should integrate periodic assessments in the agency\xe2\x80\x99s\n      operations. All personnel should report deficiencies found in internal control to the\n      appropriate personnel and management responsible for that area and they should evaluate\n      and correct the deficiencies.\n\n   \xe2\x80\xa2\t Risk Assessment involves identifying internal and external risks that may prevent the\n      organization from meeting its objectives. When identifying risks, management should\n      take into account relevant interactions within the organization as well as with outside\n      organizations and analyze the potential effect or impact on the agency.\n\nMaterial Weakness Description\nOffice of Management and Budget Circular No. A-123 defines a material weakness as a\ndeficiency, or a combination of deficiencies, in internal control such that there is a reasonable\npossibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be prevented,\nor detected and corrected on a timely basis. The material weaknesses discussed in this report\nare:\n\n   \xe2\x80\xa2\t Accounts Payable. The Army relies on unsupported adjustments processed by DFAS to\n      report accounts payable balances. These adjustments were required to account for\n      undistributed disbursements and intragovernmental accounts payable. Army is working\n      on implementing an upgrade for constructive receipts in LMP that targets correction of\n      the accounts payable accounting and reporting issues. The LMP upgrade is scheduled for\n      December 2011. Additional steps that will solidify correction of this weakness include\n      actions to clean up legacy balances, elimination of record data types, correction of trading\n      partner data, and full usage of Wide Area WorkFlow.\n\n   \xe2\x80\xa2\t Abnormal Account Balances. In FY 2010, the AWCF Industrial Operations and Supply\n      Management activities (limit-level) reported 81 abnormal account balances, valued at\n      $2.1 billion, including 33 accounts for $1.6 billion in the LMP environment. The\n\n                                                 58\n\n\x0c       abnormal balances in LMP are caused by incorrect general ledger attributes. Full\n       implementation of the SFIS in LMP will correct the abnormal balances caused by\n       incorrect general ledger attributes. The remaining abnormal balances will be manually\n       reconciled and corrected.\n\n   \xe2\x80\xa2\t Intragovernmental Eliminations. Army systems were unable to collect, exchange, and\n      reconcile buyer and seller intragovernmental transactions, resulting in adjustments that\n      were not verifiable. DoD and AWCF systems did not capture the trading partner\n      financial data at the transaction level needed to facilitate reconciling and eliminating\n      intragovernmental transactions. DoD procedures require that the Army adjust its buyer-\n      side transaction data to agree with seller-side transaction data from other Government\n      entities without the entities performing proper reconciliations. As a result, DFAS\n      Indianapolis adjusted to AWCF accounts to force the accounts to agree with the\n      corresponding records of intragovernmental trading partners.\n\nDefining Accounts Payable\nStatement of Federal Financial Accounting Standards Number 1, \xe2\x80\x9cAccounting for Selected\nAssets and Liabilities,\xe2\x80\x9d March 30, 1993, states the following about accounts payable:\n\n   \xe2\x80\xa2\t Accounts payable represent amounts owed by a Federal entity for goods and services\n      received from the entities; progress in contract performance and rents due to other\n      entities.\n\n   \xe2\x80\xa2\t The amounts owed for goods or services received from Federal entities represent\n      intragovernmental transactions and require separate reporting from amounts owed to the\n      public.\n\nDoD FMR, volume 4, chapter 9, \xe2\x80\x9cAccounts Payable,\xe2\x80\x9d August 2009, requires DoD systems to\nrecord accounts payable transactions using the appropriate U.S. Government Standard General\nLedger proprietary and budgetary accounts as defined in SFIS.\n\n\n\n\n                                              59\n\n\x0cAppendix D. Acronyms and Abbreviations\n\nAESIP       Army Enterprise Systems Integration Program\nAMC         Army Materiel Command\nASA(FM&C)   Assistant Secretary of the Army (Financial Management and\n              Comptroller)\nAWCF        Army Working Capital Fund\nBEA         Business Enterprise Architecture\nBPN         Business Partner Network\nBTA         Business Transformation Agency\nCAGE        Commercial Activity Government Entity\nCCR         Central Contractor Registration\nDCMO        Deputy Chief Management Officer\nDFAS        Defense Finance and Accounting Service\nDoDAAC      DoD Address Activity Code\nDoD FMR     DoD Financial Management Regulation\nDoD IG      DoD Inspector General\nERP         Enterprise Resource Planning\nFISMA       Federal Information Security Management Act of 2002\nFSR         Functional Security Role\nGAO         Government Accountability Office\nGFEBS       General Fund Enterprise Business System\nGLAC        General Ledger Account Code\nLCMC        Life Cycle Management Command\nLMP         Logistics Modernization Program system\nMIPR        Military Interdepartmental Purchase Request\nNIST        National Institute of Standards and Technology\nOBT         Office of Business Transformation\nP2P         Procure-to-Pay\nSFIS        Standard Financial Information Structure\nUAM         User Account Management\n\n\n\n\n                                   60\n\n\x0cAppendix E. Business Transformation Agency\nProcure-to-Pay Illustration\nBEA 7.0 describes the P2P business process as encompassing all business functions necessary to\nobtain goods and services. The BEA P2P business process identifies six phases during which\nactivities post financial transactions: Requisitioning and Commitments, Contracting and\nObligations, Goods Receipt, Invoicing, Entitlement, and Disbursing. The illustration in Figure\nE-2, which BTA provided in August 2010, compares the intended BEA business process (top\nportion) with the current \xe2\x80\x9cAs Is\xe2\x80\x9d environment (bottom portion). The process also had a phase\nentitled \xe2\x80\x9cbudgeting\xe2\x80\x9d which we will assess during a separate audit of the LMP budget process.\nFigure E-1 defines the acronyms used in Figure E-2.\n\n                            Figure E-1. Listing of Illustration Acronyms\nAVPRAT \xe2\x80\x93 Accounting Vendor Pay and Analysis Tool\nBW - Business Warehouse\nCAPS-W \xe2\x80\x93 Computerized Accounts Payable System- Windows\ndbCAS \xe2\x80\x93 Database Commitment Accounting System\nDCAS \xe2\x80\x93 DoD Cash Accountability System\nFFMIA \xe2\x80\x93 Federal Financial Management Improvement Act\nFFMRS \xe2\x80\x93 Federal Financial Management System Requirements\nFSIO \xe2\x80\x93 Financial Systems Integration Office\nODS \xe2\x80\x93 Operational Data Store\nPBAS \xe2\x80\x93 Program Budget and Accounting System\nSPS \xe2\x80\x93 Standard Procurement System\nSRD-1 \xe2\x80\x93 Standard Finance System Redesign\nSTANFINS \xe2\x80\x93 Standard Financial System\nWAWF \xe2\x80\x93 Wide Area WorkFlow\n\nSource: Auditor Developed\n\n\n\n\n                                                61\n\n\x0cFigure E-2. Business Transformation Agency Procure-to-Pay Illustration\n\n\n\n\nSource: Business Transformation Agency\n\n\n\n\n                                             62\n\n\x0cAppendix F. Segregation of Duties\nNIST Special Publication 800-53, Revision 3, \xe2\x80\x9cRecommended Security Controls for Federal\nInformation Systems and Organizations,\xe2\x80\x9d May 2010, control AC-5, defines segregation of duties\nas the system access control that requires more than one person to complete an end-to-end\nprocess using assigned access authorizations. Segregation of duties requirements applicable to\nthe development of LMP FSRs were:\n\n   \xe2\x80\xa2\t segregate duties of individuals as necessary to prevent malicious activity without\n\n      collusion, \n\n\n   \xe2\x80\xa2\t document segregation of duties risk by the organization, and\n\n   \xe2\x80\xa2\t implement segregation of duties through assigned information system access\n\n      authorizations. \n\n\nAccording to industry best practices, the best way to minimize the opportunity to commit fraud is\nto implement a good system of internal controls, which includes proper authorizations and\nsegregation of duties. Within the P2P business process, the same user should not perform more\nthan one of the following functions: purchasing, receipt of goods, recording of invoices,\nmodification of inventory records, and creating or updating the master tables.\n\nIdentifying Potential Segregation of Duty Conflicts\nTable F-1 shows the LMP transaction screens assignable to FSRs within the five P2P functions.\n\n             Table F-1. LMP Transaction Screens for Procure-to-Pay Process\n                        Receipt of      Recording of     Modify Inventory\n   Purchasing            Goods            Invoices          Records              Master Tables\nFMY1 \xe2\x80\x93 Create        MB1B \xe2\x80\x93            FBR2 \xe2\x80\x93 Post       HUNINV05 \xe2\x80\x93            MM01 \xe2\x80\x93 Create\nFunds                Goods             Document          Clears Inventory      Material\nCommitment           Movement                            Differences\nFMY2 \xe2\x80\x93 Change        MB1C \xe2\x80\x93 Other      FB02 \xe2\x80\x93            LI11N \xe2\x80\x93 Enter         MM02 \xe2\x80\x93 Change\nFunds                Goods Receipt     Change an         Inventory Count       Material\nCommitment                             Invoice\nFMZ1 \xe2\x80\x93 Create        MIGO \xe2\x80\x93            FB60 \xe2\x80\x93 AP         LI12N \xe2\x80\x93 Change        MM06 \xe2\x80\x93 Flag for\nFunds Obligation     Goods             Invoicing         Inventory Count       Deletion\n                     Movement\n                     (Receipt)\n\nFMZ2 \xe2\x80\x93 Change        ZIGO \xe2\x80\x93 Goods      FB65 \xe2\x80\x93 A/P        LI20 \xe2\x80\x93 Clear          MM17 \xe2\x80\x93 Mass\nFunds Obligation     Receipt           Credit Memo       Inventory             Change Material\n                                                         Differences           Master\n\n\n\n\n                                               63\n\n\x0c            Table F-1. LMP Transaction Screens for Procure-to-Pay Process\n                                    (Continued)\n                    Receipt of    Recording of    Modify Inventory\n   Purchasing        Goods          Invoices         Records            Master Tables\nME21N \xe2\x80\x93 Create                   F-47 \xe2\x80\x93 Down     LI21 \xe2\x80\x93 Clear           XK01 \xe2\x80\x93 Create\nPurchase Order                   Payments        Inventory Difference   Vendor Master\n                                                 in MMI                 (All Areas)\nME22N \xe2\x80\x93 Change                   MIRO \xe2\x80\x93 Post     MB1A \xe2\x80\x93 Goods Issue XK02 \xe2\x80\x93 Change\nPurchase Order                   Invoice                            Vendor Master\nME29N \xe2\x80\x93 Release                                  MB11 \xe2\x80\x93                 ZAOR \xe2\x80\x93\nPurchase Order                                   Goods/Inventory        ZPS_Recovery\n                                                 Adjustment             Table\n                                                                        Maintenance\nME51N \xe2\x80\x93 Create                                   MI07 \xe2\x80\x93 Post Cycle      ZFUNDK2 \xe2\x80\x93\nPurchase                                         Count Differences      Maintain\nRequisition                                                             Funding Table\nME52N \xe2\x80\x93 Change                                   MR11 \xe2\x80\x93                 ZPSCFNDK \xe2\x80\x93\nPurchase                                         Goods/Invoices         Maintain Master\nRequisition                                      Receipts Adjustment    Tables\nME53N \xe2\x80\x93 View                                     MR11SHOW \xe2\x80\x93\nPurchase Request                                 Reverses\n                                                 Good/Invoice\n                                                 Receipts Adjustments\nME59 \xe2\x80\x93 Auto                                      MR21 \xe2\x80\x93 Pricing\nGeneration of                                    Changes\nPurchase Order\nZMILS \xe2\x80\x93 Process                                  MSC2N \xe2\x80\x93 Change\nRequirement                                      Material Batch\n\nZMMR \xe2\x80\x93 Mass                                      VA01 \xe2\x80\x93 Create Sales\nCreate Vendor                                    Order\nReturns\nZMO \xe2\x80\x93 Interfaces-                                VA02 \xe2\x80\x93 Change\nPurchasing                                       Sales Order\nInterface Monitor\nZFUND \xe2\x80\x93 Funds\nCertification\nProcess\n\n\n\n\n                                         64\n\n\x0cUsing the NIST guidance and various publications from major accounting firms, we identified\nthat access to the following LMP transaction screens could pose segregation of duties conflicts\nwhen given to a single user.\n   \xe2\x80\xa2\t The individual initiating or modifying a purchase request should not be able to create\n      (XK01) or modify the vendor record (XK02), record invoices (FB60, MIRO), receive\n      goods and services (MIGO, ZIGO), or reconcile inventory records (MB11).\n\n   \xe2\x80\xa2\t The individual creating or approving purchase orders (ME21N, ME22N) should not be\n      able to record invoices (FB60, MIRO).\n\n   \xe2\x80\xa2\t The individual receiving goods and services (MIGO, ZIGO) should not have purchasing\n      functions (ME21N, ME22N, ME51N, ME52N) or be able to modify the vendor records\n      (XK01, XK02) or record invoices (MIRO, FB60) or credit memos (FB65).\n\nThe individual performing the three-way match of obligations, invoice, and receiving reports\n(FB60, MIRO) should not also be involved in receipt functions (MIGO, ZIGO) or purchasing\nfunctions (ME21N, ME22N, ME51N, ME52N), modify the vendor record (XK01, XK02), or\nhave any inventory functions (transaction screens listed under Modify Inventory Records in\nTable F-1).\n\n\n\n\n                                               65\n\n\x0cAppendix G. Statistical Sampling Methodology\nBased on the results of our judgmental review of system access at the LCMC, we worked with\nthe Quantitative Methods and Analysis Division to design a statistical sample at the Depot to\nassess system access.\n\nSampling Purpose\nThe purpose of the statistical sampling plan was to determine whether system access provided to\nusers at the Depot demonstrated proper implementation of the FISMA requirements related to\nsegregation of duties, least privilege, and account management.\n\nUniverse Represented\nWe obtained the universe of LMP users assigned to the Depot as of November 1, 2010. The\nuniverse consisted of 943 users. We identified the specific FSRs each user held. The number of\nFSRs held by users ranged from 2 to 95.\n\nSampling Design\nThe sampling design was a stratified variable sample consisting of two strata: a census stratum\nand a random stratum. For the census stratum, we selected the 13 users who had the highest\ncombined number of restricted FSRs and total FSRs assigned to them. For the random stratum,\nwe randomly selected without replacement 65 users from the remaining users in the universe.\nWe randomly selected users using the =RAND() function in Excel 2007.\n\nSampling Methodology\nTo determine whether the Depot had implemented effective account management practices and\nhelp us determine potential segregation of duties and least privilege conflicts, we developed a\nquestionnaire containing three questions. We performed face-to-face interviews while at the\nDepot with 11 of the 78 LMP users. Seven of the 13 users were from the census stratum and 4 of\nthe 65 users from the random stratum. We then designed and administered an e-mail survey and\ntransmitted it to the remaining 67 LMP users. The e-mail survey asked the users to identify their\njob titles and provide information about the FSRs assigned, the tasks they performed on a regular\nbasis, and any FSRs and responsibilities assigned previously related to LMP. In the e-mail\nsurvey, we provided a spreadsheet listing the FSRs assigned to each sampled user as of\nNovember 1, 2010, including the transaction screens assigned within each FSR. We asked the\nrespondents to identify the purpose of each FSR assigned, the use of transaction screens within\neach FSR, and the functions they accomplished using the transaction screens. We also requested\nthat the user identify any assigned FSRs they did not use. We asked these questions to determine\nthe extent to which the respondent used their access and determine whether the FSRs potentially\ncaused segregation of duties or least privilege conflicts and whether the Depot followed proper\naccount management practices. We also asked if they were part of the LMP Transition Team to\ndetermine if that could be cause for assigned access outside of a respondent\xe2\x80\x99s normal duties. We\nused responses to the questionnaire to answer the following four questions.\n\n\n\n\n                                               66\n\n\x0c1.\t Was the user aware of the FSRs assigned? For this attribute, we assigned:\n          \xe2\x80\xa2 \xe2\x80\x9cNo\xe2\x80\x9d to definitive statements made by respondents that indicated that they were not\n       aware of the FSRs assigned, such as \xe2\x80\x9cThere is no way I have this many FSRs,\xe2\x80\x9d \xe2\x80\x9cCan\xe2\x80\x99t you\n       send me the FSRs I really have,\xe2\x80\x9d or \xe2\x80\x9cI have never used LMP.\xe2\x80\x9d\n           \xe2\x80\xa2 \xe2\x80\x9cYes\xe2\x80\x9d when the respondent provided a clear explanation of how they used at least one\n       of the transaction screens assigned within each FSR.\n          \xe2\x80\xa2 \xe2\x80\x9cNot determinable\xe2\x80\x9d for respondents who did not provide a clear response to the\n       question.\n2.\t Does the user have the FSRs needed to perform job? For this attribute, we assigned:\n           \xe2\x80\xa2 \xe2\x80\x9cNo\xe2\x80\x9d to the one respondent who stated that she could use additional screens not\n       assigned.\n           \xe2\x80\xa2 \xe2\x80\x9cYes\xe2\x80\x9d to respondents who stated they had the FSRs needed to perform their jobs.\n          \xe2\x80\xa2 \xe2\x80\x9cNot determinable\xe2\x80\x9d to the three respondents who had departed the Depot before we\n       administrated the survey.\n3.\t Does the user have excess FSRs assigned? For this attribute, we assigned:\n           \xe2\x80\xa2 \xe2\x80\x9cNo\xe2\x80\x9d to respondents who identified all the FSRs assigned and the transaction screens\n       they used within the FSRs. We also assigned a \xe2\x80\x9cNo\xe2\x80\x9d to the one respondent who stated that\n       she could use additional screens not assigned.\n          \xe2\x80\xa2 \xe2\x80\x9cYes\xe2\x80\x9d to respondents who stated they did not use LMP, one or more assigned FSRs, or\n       who could not identify all the FSRs assigned and the transaction screens they used.\n4.\t Does potential exist for a segregation of duties conflict within the P2P business process? Using\n    the information within Appendix F, we assessed the FSRs and transaction screens assigned to\n    each of the 78 LMP users. For the attribute, we assigned:\n        \xe2\x80\xa2 \xe2\x80\x9cNo\xe2\x80\x9d if a user\xe2\x80\x99s access to a combination of LMP screens did not allow the user to\n   accomplish more than one function (authorization, execution, custody, or recording), we\n   determined that no potential segregation of duties conflict existed.\n       \xe2\x80\xa2   \xe2\x80\x9cYes\xe2\x80\x9d if a user\xe2\x80\x99s access to a combination of LMP screens allowed the user to\n\n   accomplish more than one function (authorization, execution, custody, or recording), we\n\n   determined that a potential existed for a segregation of duties conflict.\n\n\n\n\n\n                                                   67\n\n\x0cSampling Results\nTable G-1 shows how we categorized the responses from the 78 sampled LMP users. We\nprovided the results to the Quantitative Methods and Analysis Division for statistical projection.\n\n                              Table G-1. User Access Assessment\n                                                                            Not\n              Attributes Assessed                      Yes       No     Determinable\n1. Is the user aware of the FSRs assigned?             10         32          36\n 2. Does the user have the FSRs needed to\n    perform the user\xe2\x80\x99s job?                            74         1           3\n 3. Does the user have excess FSRs assigned\n    (FSRs that they do not use)?                       73         5           0\n 4. Within the assigned FSRs, is there a\n    potential segregation of duties conflict?          20         58          0\n\nA significant number of users were unaware of the access assigned (attribute 1, \xe2\x80\x9cNo\xe2\x80\x9d response).\nMost users believed that had the access they needed to perform their job (attribute 2, \xe2\x80\x9cYes\xe2\x80\x9d\nresponse). In addition, most users had access to transaction screens they did not require to\nperform their job (attribute 3, \xe2\x80\x9cYes\xe2\x80\x9d response) or had FSRs assigned or transaction screens that\npotentially resulted in a segregation of duties conflict (attribute 4, \xe2\x80\x9cYes\xe2\x80\x9d response). Table G-2\nprovides the statistical estimate of the 943 users for each of the four attributes at a 90 percent\nconfidence level.\n\n                        Table G-2. User Access Attribute Projections\n                               (90 Percent Confidence Level)\nAttributes Assessed                   Lower Bound            Point Estimate   Upper Bound\n1. Users unaware of FSRs\nassigned                                    289                  391               494\n2. Users who believed they had\nthe access needed to do their job           830                  886               942\n3. Users who had at least one FSR\nassigned that was not used                  829                  885               941\n4. Users with potential segregation\nof duties conflict                          64                   140               215\n\nWe concluded that the Depot had not effectively implemented the requirements for accounts\nmanagement, segregation of duties, and least privilege.\n\n\n\n\n                                                  68\n\x0c  Appendix H. Developing the Vendor Master\n  Using Standard Financial Information Structure\n  Attributes\n  The SFIS business rules require ERP systems to use SFIS attribute fields for general ledger\n  posting and financial reporting. The BPN number is the key for obtaining and reporting business\n  partner information and used for establishing a vendor master record. Information extracted\n  from either the FedReg or CCR should be used to create all records and populate the three SFIS\n  Trading Partner Information attributes. Table H-1 shows how AESIP personnel should obtain\n  the attributes and domain values from the data reported in the source files (FedReg and CCR)\n  and create the master vendor data in AESIP.\n\n                      Table H-1. SFIS to AESIP Attributes and Domain Values\n                SFIS                           Source Data Field                   AESIP\n              Domain                                                         Data      Domain\nAttribute      Value         Entity        FedReg              CCR           Field      Value\nTP1                                                          Type of\n                             Federal      Data field\n                                                          Organization\n                  F          Trading         not                                            F\n                                                         field identified\n                             Partner      available                          Federal/\n                                                            as Federal\n                                                                              Non-\n                                                             Type of\n                              Non-                                           Federal\n                                                          Organization\n                             Federal                                        Indicator\n                 N                           N/A         field identified                   N\n                             Business\n                                                          as other than\n                             Partners\n                                                             Federal\nTP2                                                                          Trading\n                             Federal                                                    Department\n               3-digit                   Department                          Partner\n                             Trading                          N/A                        Regular\n                code                       Code                             Indicator\n                             Partner                                                      Code\n                                                                              Code\nTP3            Data                                                                       Data\n                        Non-DoD                          Data Universal\n             Universal                                                                  Universal\n                       Federal and          BPN           Numbering\n             Numbering                                                                  Numbering\n                         Private           Number           System\n              System                                                                     System\n                       Businesses                           number           BPN\n              number                                                                     number\n                                                                            Number\n                                                         Data Universal\n             DoD Plus                       BPN           Numbering                     DoD Plus\n                              DoD\n             DoDAAC                        Number           System                      DoDAAC\n                                                            Number\n\n  Trading Partner Attribute Requirements\n  The SFIS established three distinct attributes that systems must record at the transaction level for\n  general ledger accounts that identify the business partners involved. These attributes allow\n\n\n\n                                                   69\n\n\x0caccounting systems to identify intragovernmental transactions for use during the elimination\nprocess when developing consolidated financial statements.\n\n     \xe2\x80\xa2\t The SFIS Federal/Non-Federal Indicator (TP1) attribute identifies the type of business\n        partner involved in a transaction. The type of business partner involved in a transaction\n        determines whether to report the transaction as Federal or non-Federal. To identify\n        intragovernmental transactions for elimination, the Army ERP systems need to have the\n        capability to distinguish between Federal and non-Federal transactions. To develop SFIS\n        attributes, AESIP personnel need to establish each business partner\xe2\x80\x99s TP1 information\n        using data obtained directly from the CCR data field that identified the type of\n        organization the business partner registered as or record a domain value of \xe2\x80\x9cF\xe2\x80\x9d for all\n        business partners registered in FedReg.\n\n     \xe2\x80\xa2\t The SFIS Trading Partner Indicator Code (TP2) attribute identifies the Department\n        Regular Code of the other Federal entity involved in a transaction. 23 The TP2 attribute\n        allowed Army ERP managers to identify the specific Federal entities involved in\n        intragovernmental transactions for use in its intragovernmental elimination process. For\n        Federal business partners, AESIP personnel need to establish each business partner\xe2\x80\x99s TP2\n        information using data obtained from the FedReg\xe2\x80\x99s Department Regular Code data field.\n        For non-Federal business partners, the TP2 domain value is blank.\n\n     \xe2\x80\xa2\t The SFIS BPN Number (TP3) attribute records a unique, nine-position alphanumeric that\n        identifies business entities on a location-specific basis. To populate the domain value,\n        AESIP personnel need to establish each business partner\xe2\x80\x99s TP3 information by obtaining\n        the DUNS number or \xe2\x80\x9cDoD\xe2\x80\x9d plus DoDAAC directly from FedReg or CCR. The TP3\n        attribute should be the primary data field for establishing the AESIP vendor master\n        records.\n\nBusiness Partner Status\nArmy ERP systems also needed to have the capability to identify the current registration status\nfor each business partner. The Federal Acquisition Regulation does not allow inactive business\npartners from receiving new contracts or additional payments until a valid registration exists.\nThe CCR and FedReg provide the registration status of business partners. AESIP personnel\nrecorded this status in a data field and had to ensure that the vendor master identified the current\nregistration status of each business partner and passed that information to ERP systems regularly.\n\n\n\n\n23\n The Department of the Treasury assigned a Department Regular Code to each Federal entity. For example, the\nDepartment Regular Code for the Army is \xe2\x80\x9c021.\xe2\x80\x9d\n\n                                                     70\n\n\x0cGlossary\nAttributes - characteristics of a U.S. Government Standard General Ledger account captured\nand used to meet specific reporting requirements. Agency systems must record transactions\nusing U.S. Government Standard General Ledger 4-digit accounts plus attributes in order to\ncapture information needed to meet external reporting requirements.\n\nBusiness Rules - principles identified in a DoD BEA document that should be followed so that\nthe target accounting system is populated with the correct data.\n\nCommercial and Government Entity (CAGE) Code \xe2\x80\x93 a 5-digit identification number used\nextensively within the Federal Government to identify companies doing or desiring to do\nbusiness with the Federal Government. The CAGE code provides a standardized method of\nidentifying a given facility at a specific location.\n\nData Universal Numbering System Number \xe2\x80\x93 unique 9-digit number that non-government\nentities and Federal civilian entities (non-DoD) must obtain from Dun & Bradstreet,\nIncorporated. An entity must use the number as its BPN number and for Federal Agency\nRegistration and CCR.\n\nDoD Activity Address Code (DoDAAC) \xe2\x80\x93 a unique identifier of a unit, activity, or organization\nthat has the authority to requisition and/or receive materiel. DoD entities must use the letters\n\xe2\x80\x9cDOD\xe2\x80\x9d followed by their 6-digit DoDAAC (for example, DOD123456) as their BPN number.\n\nDomain Values \xe2\x80\x93 the possible valid data elements within an attribute. For example, the Federal\nand Non-Federal Indicator use an "F" domain value to classify a transaction as Federal and an\n"N" domain value to classify a transaction as Non-Federal.\n\n\n\n\n                                              71\n\n\x0cDeputy Chief Management Officer Comments\n\n\n\n\n\n  a~                         DEPUTY CHIEF MANAGEMENT O FFIC ER\n                                         901 0 DEFENSE PENTAGON\n                                        WASHINGTON, DC 2 0301 \xc2\xb790 10\n\n\n\n                                                                                 FEB 18 2011\n\n\n     MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL (FINANCIAL\n                      MANAGEMENT AND REPORTING)\n\n     SUBJECT: Comments to Draft Audit Report, " Logistics Modernization Program System\n                    Procure-lo-Pay Process Did Not Correct Material Weaknesses"\n                    (Project No. D2010- DOOOFI-0234.000)\n\n            This memorandum responds to your request for comments on one audit recommendation\n     contained in the draft audit report issued January 3, 2012. We concur with the recommendation\n     contained in the subject draft audit report. Our detailed response to the recommendation is\n     provided in the attachment.\n\n                                  is the point of contact for this response. He can be reached by\n     telephone at                or by email at\n\n                                    Click to add JPEG file\n\n                                                    ~--\n                                                   Elizabeth A. McGrath\n\n\n     Attachment:\n     As stated\n\n\n\n\n                                                                72\n\x0c   DEPARTMENT OF DEFENSE OFFICE OF THE INSPECTOR GENERAL (DoDIG)\n  DRAFT REPORT DATED JANUARY 3, 2012, PROJECT NO. D2010\xc2\xb7 DOOOFI-0234.000\n    "LOGISTICS MODERNIZATION PROGRAM SYSTEM PROCURE-TO-PAY\n          PROCESS DID NOT CORRECT MATERIAL WEAKNESSES"\n\n        OFFICE OF THE DEPUTY CHIEF MANAGEMENT OFFICER (DCMO)\n                 COMMENTS TO DODIG RECOMMENDATION\n\nRECOMMENDATION c.t: "We recommend that the Deputy Chief Management Officer\nwork with the Under Secretary of Defense (Comptroller) to review the use of legacy registration\nprocesses, such as Commercial and Goverrunent Entity Codes and Routing Identifier Codes, to\ndetermine whether DoD can eliminate the databases by incorporating them into the new System\nfor Award Management database."\n\nDCMO RESPONSE: Concur. The Deputy Chief Management Officer will work with the\nUnder Secretary of Defense (Comptroller) and Defense Procurement Acquisition Policy to\ninvestigate the legacy vendor data registry process to determine whether 000 can eliminate the\ndatabases by incorporating them into the new System for Award Management database.\n\n\n                              Click to add JPEG file\n\n\n\n\n                                                          73\n\x0cDepartment Of The Army Comments\n\n\n\n\n\n                                    DEPARTMENT OF THE ARMY\n                              OFFICE OF THE ASSISTANT SECRETARY OF THE ARMY\n                                 FINANCIAL MANAGEMENT AND COMPTROLLER\n                                          1()9 ARMY PENTAGON\n                                        WASHINCiTON DC 20310..()109\n             REPlYTO\n             ATTENTION OF\n\n\n                                                     FEB     2 2012\n      SAFM-ZA\n\n\n      MEMORANDUM FOR Assistant Inspector General for Audit, Department of Defense\n      Inspector General, 4800 Mark Center Drive, Alexandria, VA 22350-1500\n\n      SUBJECT: Army Response to Draft Report Project No. D201 0-DOOOFI-0234.000,\n      Logistics Modernization Program System Procure-to-Pay Process Did Not Correct\n      Material Weaknesses\n\n\n      1. Enclosed is our response to recommendations A, B, and C in the subject draft report.\n      The draft report recommends the Army develop a plan of action and milestones to bring\n      the Logistics Modernization Program (LMP) system into compliance with the DoD\n      Business Enterprise Architecture (BEA) Procure-to-Pay (P2P) business rules. We\n      agree that the current P2P process has too many functions residing outside of LMP and\n      that increased integration of these functions is desirable. We will review the feasibility\n                                 Click to add JPEG file\n      of increasing the level of P2P integration within LMP. Results of the review will inform a\n      plan of action and milestones (POAM) identifying the desirable level of P2P integration\n      within LMP.\n\n      2. The report recommends the Army develop a plan to improve system access controls\n      within LMP. As part of audit readiness discovery and evaluation activities, we will\n      assess LMP key controls, identify deficient areas, and develop a plan to resolve\n      identified deficiencies.\n\n      3. The report also recommends that we direct in policy that the Army Enterprise\n      Systems Integration (AESIP) Program Manager (PM) selVe as the vendor master data\n      manager. We concur with the current role of the AESIP PM as vendor master data\n      manager.\n\n      4. My point of contact for this action is                 . She can be reached by\n      e-mail at                              ilorbytelephone at\n\n                                                                      n\n      Encl                                 .?O\\\n                                                   (~l~1r\\ .j~QM\n                                                     Mary Sally Mdiiella, CPA\n\n\n\n\n                                                                 74\n\x0c                                  Enclosure: Official Comments\n\n                Logistics Modernization Program System Procure-ta-Pay Process\n                              Did Not Correct Material Weaknesses\n                              Project No. D2010-DOOOFI-0234.000\n\nRecommendation.\n\nA.1. We recommend that the Director, Army Office of Business Transformation and Assistant\nSecretary of the Army (Financial Management and Comptroller) develop a plan of action and\nmilestones to bring the Logistics Modernization Program system into compliance with the DoD\nBusiness Enterprise Architecture Procure-ta-Pay business rules. Specifically, as part of the\nArmy Business System Information Technology Strategy, define the AI1TIY\'s plans for developing\neffective and efficient Logistics Modernization Program system business processes that will:\n        a. Integrate the contracting and entitlement functions.\n        b. Expedite a solution for resolving the in-transit inventory posting logic problems and\n        correct abnormal balances.\n        c. Reassess the system\'s accounts payable business process flow and posting logic and\n        determine whether additional problems exist that cause abnormal balances. If so,\n        develop the corrective actions needed to resolve those problems.\n        d. Develop performance indicators to assist in identifying the potential for significant\n        posting errors and develop responsive corrective actions.\n        e. Develop the edit checks and business workflows needed to control and route\n        purchase requests and Military Interdepartmental Purchase nequests to the appropriate\n                              Click to add JPEG file\n        individuals for approval and funds certification. This should include:\n                 (1) Associating fund codes and approval authority to an individual\'s assigned\n                 activity.\n                 (2) Assigning certification of funds availability to a limited number of individuals\n                 and developing the requirement for the system to limit funds certification to only\n                 these individuals.\n                 (3) Directing that fund managers establish commitments for purchase requests at\n                 the time an activity releases the requests for obligation actions.\n                 (4) Developing the functionality needed for separate individuals to create and\n                 accept Military Interdepartmental Purchase Requests within the system.\n                 (5) Validating the data contained in the Program Activity Table and ensuring that\n                 it is preparing manual documents correctly and developing compensating\n                 controls to validate the data integrity of manually created obligations.\n        1. Identify offline systems and procedures within the Procure-to-Pay phases, incorporate\n        the functionality into the system, and discontinue the use of offline processes. In\n        situations where Army managers cannot immediately incorporate the functionality,\n        develop compensating controls over non-integrated offline processes and restrict the\n        creation of manual commitment and obligation transactions to resource management\n        personnel.\n        g. Develop functionality within the system to capture and record the actual vendor\n        invoice date, vendor invoice number, and date of invoice receipt at the paying station.\n        Also, develop the data fields needed to record separately the actual receipt and\n        acceptance dates for goods and services.\n        h. Develop the ability to identify all documents related to Procure-ta-Pay transactions\n        within a single system query.\n        i. Develop a ready-to-pay file based on the system\'s approval of prevalidation requests.\n\n                                                 2\n\n\n\n\n                                                             75\n\x0c      Annv Response: Concur. We recognize that there are opportunities to improve the\n      efficiency 01 procure to pay (P2P) processing in the Logistics Modernization Program\n      (LMP). Current process segmentation adds to interface complexity and error rates and\n      is a source of abnormal balances. Our current system design, however, is normal for\n      typtcal EAP Implementation best practice. Best practice ls to reduce risk associated with\n      "grand design" implementation projects by first fielding a basic capability and then\n      capitalizing on investment via driving more functionality into the system. As part of the\n      Army Business System Information Technology Strategy (BSIT), we will review the\n      feasibilty at integrating additional P2P functionally within the LMP environment to\n      include recommendations in this audit report. Results of the review will be used to\n      develop a plan of action and milestones (POAM) addressing the viability of integrating\n      additional contracting and entitling functions, improving internal controls, identifying and\n      correcting abnormal balances relating to P2P transactions, and developing and tracking\n      additional matries and performance indicators. Our POAM will reflect limitations\n      imposed by the Department\'s Business Enterprise Architecture related to contract\n      writing, vendor Invoicing, payment entitlements and disbursement processing.\n\n       Although the feasibility analysis and P2P POAM w~1 identify additional opportunities to\n       enhance LMP P2P processing, significant improvements were made during 2011. For\n       eKample, we corrected the current configuration for contract authority, corrected posting\n       logic for IMPAC expenses, enhanced conHguration of Defense Travel System COTS) and\n       Integrated Product-Support Vendor (IPV) transactions. Additionally, our December 2011\n       software release added capabilities for constructive receipts, automated in-transit\n                            Click to add JPEG file\n       Inventory accrual prooesses, improved the derivation of Federal vs. Non-Federal\n       indicator, corrected posting logic resulting in the reduction of abnormal balances, and\n       Improved access controls to prevent inaccurate cross-command postings. Thase\n       improvements enabled a $1 .9 billion reduction in abnormal balances between August\n       and December 2011.\n\n       The Army will continue to leverage the Business System Information Technelogy (BSIT)\n       strategy and governance procedures to implement additional improvements as updates\n       to the Standard Financial Information Structure (SFIS) and Business Enterprise\n       Architecture (SEA) are published. We are currently in requirements definition\n       discussions for Local Vendor Pay (LVP) enhancements enabling ltvlP to perform vendor\n       payment entitlement functions currently handled by the Compulerized Accounts Payable\n       System - Windows (CAPS-W). These requirements include edit checks and business\n       workflows nceded to control and route purchase requests and Military Interdepartmental\n       Purchase Requests (MIPRs) through LMP to the appropriate individuals for approval and\n       funds certification, management of vendor data, and entitlement functions . We expect to\n       complete our requirements analysis by March 2012.\n\nA.2. We recommend that the Assistant Secretary of the Army (Financi~1 Management and\nComptroller) direct the Army Materiel Command G\xc2\xb7a to:\n       8 . Conduct Q review of the unobligated authority general ledger account balances to\n       detcnnine whether an Antideficiency Act violation occurred. and take actions to correct\n       the abnormal balances and posting logic problems related to the accounts.\n       b: Modify the Logistics Modernization Program system to cease the automatic obligation\n       of unmatched disbursements until activities accomplish proper reconciliation as required\n       by the DoD Financial Management Regulation-\n\n\n                                               3\n\n\n\n\n                                                           76\n\x0c       c. Develop a system edit check that identifies when an activity exceeds the allotment\n       contained in General Ledger Account Code 4610 and require activities to report each\n       occurrence to the Office of Assistant Secretary of the Army (Financial Management and\n       Comptroller) for Immediate resolution.\n\n       Armv Response: Concur. We will direct HQAMC to work with Defense Finance and\n       Accounting Service (DFAS) Columbus to review all limits and determine if any are over\xc2\xb7\n       obligated. If this review discloses an Antideficiency Act violation has occurred,\n       appropriate action will be taken. Abnonnal balances disclosed by the review will be\n       corrected. We will complete this review by June 2012. Army is in the process of\n       determining a compliant process so that it can discontinue the automatic obligation\n       process for UMDs (ZK process). We will conduct a workshop in March 2012 with\n       HQAMC, LMP PM, DoDIG, and DFAS to determine a compliant process and provide\n       m ilestones for transttioning 10 that process. Recognizing that there are some limitations\n       on customizing SAP, we will make use of existing reports to better monitor and flag\n       potential Issues with GLAC 4610. We will include milestones re lated to these actions in\n       the P2P POAM developed in response to Recommendation A 1 .\n\nA.3. We recommerld thaI the Assistant Secretary of the Army (Rnancial Management and\nComptroller) direct the development of a comprehensive internal control program for the\nLogistics Modernization Program Procure\xc2\xb7to\xc2\xb7Pay business process to assess the quality of\nperformance and regular management and supervisory activities over the business process.\nArmy managers should work with Logistics ModerniZation Program Project Office personnel to\nensure that they design and implement the necessary procedures and controls and develop the\n                             Click to add JPEG file\ntesting needed to ensure control effectiveness.\n\n       Army Response: Concur. As part of our Financial Improvement Plan audit readiness\n       discovery and ovaluation activities, we will assess key controls supporting all Financial\n       Improvement and Audit Readiness (FIAR) assessable units, including those related to\n       procure to pay activfties. The assessment will determine the effectiveness of the design\n       and operation of applicable control3 and identify corrective actions required to bring\n       controls into compliance with audit standards . The assessment might also recommend\n       establishing a standard performance objective for those managers and supervisors\n       working P2P processes. These actions will be completed during FY 2013.\n\n\nB.1. We recommend that the Assistant Secretary of the Army (Financial Management and\nComptroller) develop a plan for the Army Materiel Command to improve system access controls\nwithin the logistics Modernization Program system. Specifically:\n\n       a Cetennine the impact of regulatory requirements , such as the Certifying Officer\'S\n       Legislation, on the development and issuance of the functional security role templates.\n       Within 60 days of the report, identify and correct missing and defiaent official\n       appointment documentation before allowing access to the templates. Once identified ,\n       supervisors and syst9/1l administrators should ensure the proper appoi ntment of users\n       before granting access to the templates containing those functions.\n       b. Pe rform a risk assessment of the Logistics Modernization Program syste m transaction\n       screens assigned within each of the functional security role templates and minimize the\n       potential for segregation of duties conflicts . Once this assessment is completed,\n       managers should redesign the le"lliates to cover the specific job functions performed at\n\n\n                                                4\n\n\n\n\n                                                            77\n\x0c      each activity and limit user access to only those transaction screens needed to perform\n      those Job fUnctions.\n      c. Require the mapping of each Junciional security role template to the-Procure-to-Pay\n      business process to determine the existence or potential segregation of duty and least\n      privilege conflicts. If conflicts exist, realign the transaction screens as necessary to\n      prevent these conflicts.\n      d. Update the logistics Modernization Program User Access Policy and include detailed\n      procedures that prescribe:\n              (1) How administrators and supervisors should assign \'unctional security roles to\n              users.\n              (2) How to manage user access to include the use of approval databases or\n              another tracking mechanism.\n              (3) How administrators should perform regular review of system access accounts\n              suspended due to Inactivity and work with supervisors to suspend or remove all\n              roles when a user depart::; a work unit, leaves an activity installation, or loses a\n              security clearam"e\n                               .. and obtain approval by the new supervisor of all access\n              granted after reassignment.\n      e. Conduct an initial review of system access, at all levels, to identify users who have\n      been granted unneeded access and, thereafter, conduct periodic reviews of system\n      access.\n      f. Develop a method to monitor the assignment of functional security roles at the highest\n      level and ensure that activities conduct the required periodic reviews.\n\n      Army Response: Concur. ASA(FM&C) will direct HQAMC and DFAS to perform a\n                            Click to add JPEG file\n      comprehensive review of LMP system controls. The review will cover access controls,\n      interface controls, process controls, configurallon controls, and data integrity. It will\n      identify system access deficiencies and risk; and provide an approach for improving\n      them. Necessary risk assessments, compensating control reviow, role mapping ,\n      acquisition of provisioning tools/systems to identify and mitigate SOD-issues, and po~cy\n      updates will be included as part of the effort. The review will begin on/about March\n      2012.\n\n       Army and HQAMC will provide business rules for handling Segregation of Duty (SOD)\n       conflicts to update Functional Security Roles (FSRs). Many of the FSRs across the\n       enterprise are already standard. Until Governance, Risk and Compliance (GRC)\n       implementation we will continue to use existing meetings and polic.y to minimize\n       Segregation of Duties conflicts. The HQAMC User Account Manager Policy was signed\n       by HQAMC, Chief Information Officer, on January 24, 2012. Managers and supervisors\n       receive training on the use of the User Account Management system on a regular and\n       ad hoc basis as system and personnel changas occur. The policy stipulates the review\n       of all suspendod inactive accounts on an annual basis to determine if access is still\n       required . Army is in the process of reviewing appointment documentation. Additional\n       requirements will be identifiad in the POAM developed in response to Recommendation\n       A.1.\n\nB.2. We recommend that the Assistant Secretary of the Army (Financial Management and\nComptroller) work with the Army Materiel Command to:\n       a. Provide centralized training for administrators and supervisors on how to use\n      functional security role templates to administer access and prevent conflicts.\n\n\n\n                                                5\n\n\n\n\n                                                           78\n\x0c       b. Purchase the system software needed to assist in developing the system controls\n       needed to prevent or identify excessive or unauthorized access, or identify and develop\n       compatible system controls using other means.\n       c. Control administrator roles and prevent administrators from assigning functional\n       security roles to themselves or develop appropriate compensating controls.\n\n       Armv Response: Concur. Upon completion of the review in Recommendation B.1, the\n       Army will be in a better position to identify training requirements, target audiences, and\n       the right automated tool to handle provisioning of users and controlling system\n       roles/permissions. Within 60 days of the review, Army and HQAMC will review current\n       training requirements and adjust accordingly. The new HQAMC User Account Manager\n       Policy addresses functional security role assignments and the mitigation of segregation\n       of duties conflicts. HQAMC G-6 will conduct periodic reviews to ensure UAMs are not\n       assigning themselves privileges and \'Nill take action for any user violating their\n       privileges. HQAMC G-6 will oversee and instruct the commands on how to conduct an\n       annual UAM review during 3rd quarter of FY2012. Additional corrective requirements\n       will be addressed in the POAM developed in A 1.\n\n       LMP went live without Governance, Risk and Compliance (GRC) SAP functionality.\n       However, there are plans to begin configuration of the GRG functionality in February\n       2012 with an implementation date of December 2012. GRG is an automated risk and\n       compliance monitoring activity which will proactively mitigate risk and provide system\n       controls needed to prevent or identify excessive or unauthorized access and segregation\n       of duties conflicts. FSRs will be reviewed and if necessary redesigned after GRG\n                             Click to add JPEG file\n       implementation to minimize risk.\n\nC.2. We recommend that the Director, Army Office of Business Tramlformation and Assistant\nSecretary of the Army (Financial Management and Comptroller) direct in policy that the:\n       a. Army Enterpriso Systems Integration Program Manager serve as the vendor master\n       data manager with the authority and personnel to:\n               (1) Require all systems doing business with the Army to use only the vendor\n               master to populate business partner information.\n               (2) Prevent Army Enterprise Resource Planning system users from creating,\n               modifying, or deleting vendor information and only allow for view access to\n               master data by other system users.\n               (3) Validate the integrity of the business partner information contained in the\n               vendor master records.\n               (4) Create all business partner records from information contained in the Federal\n               Agency Registration and Central Contractor Registration.\n               (5) Establish individual business partner records using the Business Partner\n               Network number and create data files to populate the applicable Standard\n               Financial Information Structure attributes.\n               (6) Issue instructions on the administration and use of Anny vendor infonnation.\n       b. Routing Identifier Code locations register within Federal Agency Registration\n       database before creating a business partner record in the Army vendor master record for\n       doing business transactions with the Army or accepting any supplemental business\n       partner information from that location.\n       c. Army Enterprise Resource Planning Project Offices:\n               (1) remove functional security roles capable of adding. revising, or deleting\n               vender information; and\n\n                                                6\n\n\n\n\n                                                           79\n\x0c               (2) cease developing change requests for correcting of vendor master data.\n\n       Army Response: Concur. The Army\'s business strategy is managed by the Office of\n       Business Transformation. The "Army Business Systems Inlormation Technology\n       Strategy" dated February 14, 2011 serves as the Anny\'s foundation and roadmap for\n       executing our enterprise architecture. The BSIT states that AESIP synchronizes and\n       syndicates select enterprise master data applicable to each Army ERP ,system.\n       AdditionaJIy, AESIP supports integration hub services for each system. as applicable .\n       The B81T strategy 15 \'a living document and will evolve in response to changes .\n       Consequently, AMC and ASA (FMC) personnel will work with OBT personnel to\n       reevaluate and adjust as necessary the functions of the AESIP PM and his r~e as the\n       vendor master data manager. TIle Army will continue to leverage the Business System\n       Infonnation Technology (8SIT) strategy and governance procedures to implement\n       additional improvements as updates and opportunilie!3 avaU themselves .\n\n\nC.3. We recommend that the Army Enterprise Systems Integration Program Manager create\nand manage a vendor master based on the System for Award Management database that can:\n      a. Populate required vendor-related Standard Financiallnformalion Structure attributes\n      with valid domain values.\n      b . Establish the Business Partner Network number as the key data field for all business\n      partner records and use that data field when receiving and sending information to Army\n      and other systems.\n      C. Identify a nd track the business partner registration status in the Central Contractor\n                             Click to add JPEG file\n       Registration and Federal Agency Registration databases and System for Award\n      Management database once implemented.\n      d. Obtain all vendor information needed by Army Enterprise Resource Planning systems\n      and supporting systems.\n\n       Army Response: Concur. The PM AESIP will work with the stakeholde rs to\n       implement this recommendation. Actions take n wilt require policy. system and process\n       changes, and validation of Army vendor data to ensure that it is in sync with SAM vendor\n       data.\n\n       With respect to SAM, according to the latest data element listing at General Services\n       Administration, the ePN term wil not be used. Commercia.l and non-goverrunent entities\n       will r:eglster w ith their DUNS number and il w ill be stored in the SAM DUNS # field. 000\n       agencies will register with their DODAAC and it w~1 be stored in the SAM DOOAAC field.\n       The AESIP vendor master will be enhanced 10 be in line with the new data. We will work\n       with LMP on the best and most cost affective approach to have their system support the\n       design. Ideally, performing all fedlnon\xc2\xb7fad derivations in AESIP, syndicating the results\n       to the other systems, and prohibiting changes anywhere except in AESIP is the desired\n       goal. A cost\xc2\xb7be nefit analYSis will be required to determine if this yields a tangible return\n       on investment.\n\n       Actions related to item C.3.c. are comple ted. AESIP currently receives the registration\n       status and passes this information to the EAPs and will continue to recerve and provide\n       this information with the migration to SAM.\n\n\n\n\n                                                 7\n\n\n\n\n                                                            80\n\x0cC.4. We recommend that the Assistant Secretary of the Army (Financial Management and\nComptroller) validate that the Logistics Modernization Program system has controls in place to\nreject new contracts and payment requests 1rom business partners with inactive vendor\nregistration flags.\n        Army Response: Concur. Army will validate transactional data as part of internal\n        control assessment. The test will include a validation of business partner data in LMP\n        compared to the data for that business partner in AESIP. This validation will occur after\n        we have implemented SAM, but not later than September 30,2012. Additional\n        requirements will be addressed In the POAM developed in response to\n        Recommendation A.1.\n\n\n\n\n                               Click to add JPEG file\n\n\n\n\n                                                   8\n\n\n\n\n                                                             81\n\x0c\x0c'